US20080151893A1 - Method and system for virtual routing using containers - Google Patents
Method and system for virtual routing using containers Download PDFInfo
- Publication number
- US20080151893A1 US20080151893A1 US11/642,756 US64275606A US2008151893A1 US 20080151893 A1 US20080151893 A1 US 20080151893A1 US 64275606 A US64275606 A US 64275606A US 2008151893 A1 US2008151893 A1 US 2008151893A1
- Authority
- US
- United States
- Prior art keywords
- nic
- packet
- container
- virtual
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/60—Router architectures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/30—Peripheral units, e.g. input or output ports
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/70—Virtual switches
Definitions
- the present application contains subject matter that may be related to the subject matter in the following U.S. applications filed on Apr. 22, 2005, and assigned to the assignee of the present application: “Method and Apparatus for Managing and Accounting for Bandwidth Utilization Within A Computing System” with U.S. application Ser. No. 11/112,367 (Attorney Docket No. 03226/643001; SUN050681); “Method and Apparatus for Consolidating Available Computing Resources on Different Computing Devices” with U.S. application Ser. No. 11/112,368 (Attorney Docket No. 03226/644001; SUN050682); “Assigning Higher Priority to Transactions Based on Subscription Level” with U.S.
- the present application contains subject matter that may be related to the subject matter in the following U.S. applications filed on Oct. 21, 2005, and assigned to the assignee of the present application: “Method and Apparatus for Defending Against Denial of Service Attacks” with U.S. application Ser. No. 11/255,366 (Attorney Docket No. 03226/688001; SUN050966); “Router Based Defense against Denial of Service Attacks Using Dynamic Feedback from Attacked Host” with U.S. application Ser. No. 11/256,254 (Attorney Docket No.
- the present application contains subject matter that may be related to the subject matter in the following U.S. applications filed on Jun. 30, 2006, and assigned to the assignee of the present application: “Network Interface Card Virtualization Based On Hardware Resources and Software Rings” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/870001; SUN061020); “Method and System for Controlling Virtual Machine Bandwidth” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/871001; SUN061021); “Virtual Switch” with U.S. application Ser. No. TBD (Attorney Docket No.
- TBD (Attorney Docket No. 03226/878001; SUN061029); “Method and Apparatus for Containing a Denial of Service Attack Using Hardware Resources on a Virtual Network Interface Card” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/879001; SUN061033); “Virtual Network Interface Cards with VLAN Functionality” with U.S. application Ser. No. TBD (Attorney Docket No 03226/882001; SUN061037); “Method and Apparatus for Dynamic Assignment of Network Interface Card Resources” with U.S. application Ser. No. TBD (Attorney Docket No.
- the present application contains subject matter that may be related to the subject matter in the following U.S. applications filed on Jul. 20, 2006, and assigned to the assignee of the present application: “Low Impact Network Debugging” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/829001; SUN060545); “Reflecting Bandwidth and Priority in Network Attached Storage I/O” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/830001; SUN060587); “Priority and Bandwidth Specification at Mount Time of NAS Device Volume” with U.S. application Ser. No. TBD (Attorney Docket No.
- TBD (Attorney Docket No. 03226/881001; SUN061036); “Multiple Virtual Network Stack Instances Using Virtual Network Interface Cards” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/888001; SUN061041); “Method and System for Network Configuration for Containers” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/889001; SUN061044); “Network Memory Pools for Packet Destinations and Virtual Machines” with U.S. application Ser. No. TBD (Attorney Docket No.
- the present application contains subject matter that may be related to the subject matter in the following U.S. applications filed on Nov. 28, 2006, and assigned to the assignee of the present application: “Virtual Network Testing and Deployment using Network Stack Instances and Containers” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/892001; SUN061072) and “Method and System for Creating A Demilitarized Zone using Network Stack Instances” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/891001; SUN061071) filed on Dec. 20, 2006.
- the present application contains subject matter that may be related to the subject matter in the following U.S. application filed on Dec. 20, 2006, and assigned to the assignee of the present application: “Network Stack Instance Architecture with Selection of Transport Layers” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/854001; SUN061184).
- Network traffic is transmitted over a network, such as the Internet, from a sending computer system, via a first network interface card (NIC), to a receiving computer system via a second NIC.
- the NIC is a piece of hardware found in a typical computer system that includes functionality to send and receive network traffic.
- network traffic is transmitted in the form of packets, where each packet includes a header and a payload.
- the header contains information regarding the source address, destination address, size, transport protocol used to transmit the packet, and various other identification information associated with the packet.
- the payload contains the actual data to be transmitted from the network to the receiving system.
- Each of the packets sent between the sending system and receiving system is typically transmitted through one or more connections.
- the connections may occur on a physical level.
- the packets may be transmitted as signals (e.g., electrical, optical, etc) between the two systems through a variety of cables, routers, transmitters, receivers, and/or other interconnected hardware.
- the connections may occur on a logical level. For example, in order for the sending system and receiving system to communicate with one another, packets must properly reach the receiving system from the sending system. The receiving device must also recognize that the packets received are indeed meant for the receiving device and separate the packets from other incoming signals. Networking protocols dictate the rules for data representation, signaling, transfer, authentication, and error detection required to transmit information between the sending system and receiving system.
- the Open Systems Interconnection Reference Model (OSI model) describes seven different layers that define requirements for communications between two computer systems.
- the OSI model was developed to enable interoperability between platforms offered by various vendors. Each layer of the OSI model performs services for the layer above and requests services from the layer below.
- the layers of the OSI model are: (i) the physical layer, which defines the electrical and physical specifications for devices, (ii) the data link layer, which specifies the transfer of data between network entities, (iii) the network layer, which describes the transmission of variable length data sequences from a source to a destination via one or more networks, (iv) the transport layer, which transfers data between end users, (v) the session layer, which opens, maintains, and closes connections between network devices, (vi) the presentation layer, which transforms data into a form usable by an application, and finally, (vii) the application layer, which allows a user to access the information transmitted over the network.
- the physical layer which defines the electrical and physical specifications for devices
- the data link layer which specifies the transfer of data between network entities
- the network layer which describes the transmission of variable length data sequences from a source to a destination via one or more networks
- the transport layer which transfers data between end users
- the session layer which opens, maintains, and closes connections between network devices
- the presentation layer which transform
- the invention in general, in one aspect, relates to a method for routing a packet.
- the method includes receiving the packet in a network interface card (NIC), classifying the packet, placing the packet in a receive ring of the NIC, sending the packet to a virtual NIC associated with the receive ring, sending the packet to a first container associated with the virtual NIC, and routing the packet to a packet destination using the first container.
- NIC network interface card
- the invention in general, in one aspect, relates to a system for routing a packet.
- the system includes a host comprising a first container; and a network interface card (NIC) operatively connected to the host.
- the host is configured to receive the packet in the NIC, classify the packet, place the packet in a receive ring of the NIC, send the packet to a virtual NIC associated with the receive ring, send the packet to the first container associated with the virtual NIC, and route the packet to a packet destination using the first container.
- the invention relates to a computer usable medium having computer readable program code embodied therein for causing a computer system to execute a method for configuring a network.
- the method includes receiving the packet in a network interface card (NIC), classifying the packet, placing the packet in a receive ring of the NIC, sending the packet to a virtual NIC associated with the receive ring, sending the packet to a first container associated with the virtual NIC, and routing the packet to the packet destination using the first container.
- NIC network interface card
- FIGS. 1-3 show schematic diagrams in accordance with one or more embodiments of the invention.
- FIG. 4 shows a routing module in accordance with one or more embodiments of the invention.
- FIGS. 5-6 show flow diagrams in accordance with one or more embodiments of the invention.
- FIG. 7 shows a computer system in accordance with one or more embodiments of the invention.
- embodiments of the invention provide a method and system to route packets using containers within a host.
- containers correspond to isolated execution environments within the host, which are associated with one or more network interface cards (NICs).
- NICs network interface cards
- each container is associated with one or more virtual NICs.
- the virtual NICs may implement a Media Access Control (MAC) layer configuration, such as a virtual Local Area Network (VLAN), Virtual Private Network (VPN) tunnel, etc.
- MAC Media Access Control
- VLAN virtual Local Area Network
- VPN Virtual Private Network
- Embodiments of the invention allow arbitrary network topologies and configurations to exist inside a single host, with dynamic routing of packets within containers.
- FIG. 1 shows a schematic diagram of a system in accordance with one or more embodiments of the invention.
- the system includes a host ( 101 ), multiple NICs (e.g., NIC 1 ( 100 ), NIC 2 ( 102 ), NIC 3 ( 103 ), NIC 4 ( 104 )) connected to different networks (e.g., network 1 ( 136 ), network 2 ( 138 ), network 3 ( 139 ), network 4 ( 140 )), multiple containers (e.g., container 1 ( 128 ), container 2 ( 130 ), container 3 ( 132 )), each of which is connected to a virtual network stack (e.g., virtual network stack 1 ( 122 ), virtual network stack 2 ( 124 ), virtual network stack 3 ( 126 )), which is further connected to a virtual NIC (e.g., virtual NIC 1 ( 106 ), virtual NIC 2 ( 108 ), virtual NIC 3 ( 110 ), virtual NIC 4 ( 112 ), virtual NIC 5 ( 114
- each NIC (e.g., NIC 1 ( 100 ), NIC 2 ( 102 ), NIC 3 ( 103 ), NIC 4 ( 104 )) provides an interface between the host ( 101 ) and a network (e.g., network 1 ( 136 ), network 2 ( 138 ), network 3 ( 139 ), network 4 ( 140 )) (e.g., a local area network, a wide area network, a wireless network, etc.).
- a network e.g., network 1 ( 136 ), network 2 ( 138 ), network 3 ( 139 ), network 4 ( 140 )
- a local area network e.g., a local area network, a wide area network, a wireless network, etc.
- each of the NICs includes a network interface (NI) (i.e., the hardware on the NIC used to interface with the network) (not shown).
- NI network interface
- the NI may correspond to an RJ-45 connector, a wireless antenna, etc.
- the packets received by the NI are then forwarded to other components on the NIC (e.g., NIC 1 ( 100 ), NIC 2 ( 102 ), NIC 3 ( 103 ), NIC 4 ( 104 )) for processing.
- each NIC (e.g., NIC 1 ( 100 ), NIC 2 ( 102 ), NIC 3 ( 103 ), NIC 4 ( 104 )) includes one or more receive rings (not shown) and functionality to analyze each packet and determine to which receive ring the packet should be forwarded.
- the receive rings correspond to portions of memory within the NIC (e.g., NIC 1 ( 100 ), NIC 2 ( 102 ), NIC 3 ( 103 ), NIC 4 ( 104 )) used to temporarily store packets received from the network.
- a ring element of the receive rings may point to host memory.
- analyzing individual packets includes determining to which of the receive rings each packet is forwarded.
- analyzing the packets by a classifier (not shown) on each NIC includes analyzing one or more fields in each of the packets to determine to which of the receive rings the packets are forwarded.
- the classifier may use the contents of one or more fields in each packet as an index into a data structure that includes information necessary to determine to which receive ring that packet is forwarded.
- the classifiers may be implemented entirely in hardware (i.e., a classifier may be a separate microprocessor embedded on a NIC (e.g., NIC 1 ( 100 ), NIC 2 ( 102 ), NIC 3 ( 103 ), NIC 4 ( 104 ))).
- the classifiers may be implemented in software stored in memory (e.g., firmware, etc.) on the NIC and executed by a microprocessor on the NIC (e.g., NIC 1 ( 100 ), NIC 2 ( 102 ), NIC 3 ( 103 ), NIC 4 ( 104 )).
- the host ( 101 ) may include a device driver (not shown) and one or more virtual NICs (e.g., virtual NIC 1 ( 106 ), virtual NIC 2 ( 108 ), virtual NIC 3 ( 110 ), virtual NIC 4 ( 112 ), virtual NIC 5 ( 114 ), virtual NIC 6 ( 116 )).
- the device driver provides an interface between the receive rings on a NIC (e.g., NIC 1 ( 100 ), NIC 2 ( 102 ), NIC 3 ( 103 ), NIC 4 ( 104 )) and the host ( 101 ).
- the device driver exposes the receive rings on the NICs (e.g., NIC 1 ( 100 ), NIC 2 ( 102 ), NIC 3 ( 103 ), NIC 4 ( 104 )) to the host ( 101 ).
- each of the virtual NICs e.g., virtual NIC 1 ( 106 ), virtual NIC 2 ( 108 ), virtual NIC 3 ( 110 ), virtual NIC 4 ( 112 ), virtual NIC 5 ( 114 ), virtual NIC 6 ( 116 )
- a NIC e.g., NIC 1 ( 100 ), NIC 2 ( 102 ), NIC 3 ( 103 ), NIC 4 ( 104 )
- a virtual NIC receives incoming packets from the corresponding receive ring.
- outgoing packets are forwarded from a virtual NIC (e.g., virtual NIC 1 ( 106 ), virtual NIC 2 ( 108 ), virtual NIC 3 ( 110 ), virtual NIC 4 ( 112 ), virtual NIC 5 ( 114 ), virtual NIC 6 ( 116 )) to a corresponding transmit ring (not shown), which temporarily stores the packet before transmitting the packet over the network.
- receive rings and transmit rings are implemented as ring buffers in either software or hardware.
- the virtual NICs (e.g., virtual NIC 1 ( 106 ), virtual NIC 2 ( 108 ), virtual NIC 3 ( 110 ), virtual NIC 4 ( 112 ), virtual NIC 5 ( 114 ), virtual NIC 6 ( 116 )) are operatively connected to containers (e.g., container 1 ( 128 ), container 2 ( 130 ), container 3 ( 132 )) via virtual network stacks (e.g., virtual network stack 1 ( 122 ), virtual network stack 2 ( 124 ), virtual network stack 3 ( 126 )).
- containers e.g., container 1 ( 128 ), container 2 ( 130 ), container 3 ( 132 )
- virtual network stacks e.g., virtual network stack 1 ( 122 ), virtual network stack 2 ( 124 ), virtual network stack 3 ( 126 )
- the virtual NICs (e.g., virtual NIC 1 ( 106 ), virtual NIC 2 ( 108 ), virtual NIC 3 ( 110 ), virtual NIC 4 ( 112 ), virtual NIC 5 ( 114 ), virtual NIC 6 ( 116 )) provide an abstraction layer between the NICs (e.g., NIC 1 ( 100 ), NIC 2 ( 102 ), NIC 3 ( 103 ), NIC 4 ( 104 )) and the containers (e.g., container 1 ( 128 ), container 2 ( 130 ), container 3 ( 132 )) on the host ( 101 ).
- the containers e.g., container 1 ( 128 ), container 2 ( 130 ), container 3 ( 132 )
- each virtual NIC (e.g., virtual NIC 1 ( 106 ), virtual NIC 2 ( 108 ), virtual NIC 3 ( 110 ), virtual NIC 4 ( 112 ), virtual NIC 5 ( 114 ), virtual NIC 6 ( 116 )) operates like a NIC (e.g., NIC 1 ( 100 ), NIC 2 ( 102 ), NIC 3 ( 103 ), NIC 4 ( 104 )).
- each virtual NIC e.g., virtual NIC 1 ( 106 ), virtual NIC 2 ( 108 ), virtual NIC 3 ( 110 ), virtual NIC 4 ( 112 ), virtual NIC 5 ( 114 ), virtual NIC 6 ( 116 )
- each virtual NIC is associated with one or more IP addresses one or more MAC addresses.
- each virtual NIC may be optionally associated with one or more ports, and configured to handle one or more protocol types.
- containers e.g., container 1 ( 128 ), container 2 ( 130 ), container 3 ( 132 )
- containers on the host ( 101 ) are unable to distinguish a virtual NIC (e.g., virtual NIC 1 ( 106 ), virtual NIC 2 ( 108 ), virtual NIC 3 ( 110 ), virtual NIC 4 ( 112 ), virtual NIC 5 ( 114 ), virtual NIC 6 ( 116 )) from a physical NIC (e.g., NIC 1 ( 100 ), NIC 2 ( 102 ), NIC 3 ( 103 ), NIC 4 ( 104 )).
- a virtual NIC e.g., virtual NIC 1 ( 106 ), virtual NIC 2 ( 108 ), virtual NIC 3 ( 110 ), virtual NIC 4 ( 112 ), virtual NIC 5 ( 114 ), virtual NIC 6 ( 116 )
- a physical NIC e.g., NIC 1 ( 100 ), NIC 2 ( 102 ), NIC 3 ( 103 ),
- the virtual NICs (e.g., virtual NIC 1 ( 106 ), virtual NIC 2 ( 108 ), virtual NIC 3 ( 110 ), virtual NIC 4 ( 112 ), virtual NIC 5 ( 114 ), virtual NIC 6 ( 116 )) are associated with a MAC layer (not shown), which is responsible for moving data packets between the NIC and virtual NICs, as well as between other NICs on other hosts, using MAC protocols.
- the MAC layer is also responsible for ensuring that collisions do not occur when signals are sent from multiple devices at the same time.
- virtual NICs may implement a MAC layer configuration, such as a virtual LAN, VPN tunnel, etc.
- each virtual network stack (e.g., virtual network stack 1 ( 122 ), virtual network stack 2 ( 124 ), virtual network stack 3 ( 126 )) includes functionality to process packets in accordance with various protocols used to send and receive packets (e.g., Transmission Control Protocol (TCP), Internet Protocol (IP), User Datagram Protocol (UDP), etc.). Further, each virtual network stack may also include functionality, as needed, to perform additional processing on the incoming and outgoing packets. This additional processing may include, but is not limited to, cryptographic processing, firewall routing, etc.
- TCP Transmission Control Protocol
- IP Internet Protocol
- UDP User Datagram Protocol
- the virtual network stacks correspond to network stacks with network layer and transport layer functionality.
- network layer functionality corresponds to functionality to manage packet addressing and delivery on a network (e.g., functionality to support IP, Address Resolution Protocol (ARP), Internet Control Message Protocol, etc.).
- transport layer functionality corresponds to functionality to manage the transfer of packets on the network (e.g., functionality to support TCP, UDP, Stream Control Transmission Protocol (SCTP), etc.).
- the virtual network stacks (e.g., virtual network stack 1 ( 122 ), virtual network stack 2 ( 124 ), virtual network stack 3 ( 126 )) implement an IP layer (not shown) and a TCP layer (not shown).
- the host ( 101 ) includes a global container (not shown) and a number of non-global containers (e.g., container 1 ( 128 ), container 2 ( 130 ), container 3 ( 132 )).
- the global container corresponds to an isolated execution environment within the host ( 101 ).
- each non-global container e.g., container 1 ( 128 ), container 2 ( 130 ), container 3 ( 132 )
- all of the containers share a common kernel, and as a result, execute the same operating system.
- the non-global containers e.g., container 1 ( 128 ), container 2 ( 130 ), container 3 ( 132 )
- the non-global containers are configured such that processes executing in a given non-global container are restricted to execute in the non-global container and have no access to resources not assigned to the non-global container.
- the isolated execution environments of each non-global container e.g., container 1 ( 128 ), container 2 ( 130 ), container 3 ( 132 )
- the container management component typically executes outside of the global container.
- An example of a container is a SolarisTM Container. (Solaris is a trademark of Sun Microsystems, Inc. of California, USA)
- Each of the non-global containers (e.g., container 1 ( 128 ), container 2 ( 130 ), container 3 ( 132 )) is configured to send and receive packets to and from the NICs (e.g., NIC 1 ( 100 ), NIC 2 ( 102 ), NIC 3 ( 103 ), NIC 4 ( 104 )).
- the NICs e.g., NIC 1 ( 100 ), NIC 2 ( 102 ), NIC 3 ( 103 ), NIC 4 ( 104 )).
- the virtual network stacks (e.g., virtual network stack 1 ( 122 ), virtual network stack 2 ( 124 ), virtual network stack 3 ( 126 )) connected to the non-global containers (e.g., container 1 ( 128 ), container 2 ( 130 ), container 3 ( 132 )) process outgoing packets before transmitting the packets to other containers or hosts; the virtual network stacks also process incoming packets from other sources before sending the packets to the containers.
- each non-global container e.g., container 1 ( 128 ), container 2 ( 130 ), container 3 ( 132 )
- the global container ( 101 ) are identified by a container ID, which uniquely identifies the container in the host ( 101 ).
- each non-global container e.g., container 1 ( 128 ), container 2 ( 130 ), container 3 ( 132 )
- each non-global container includes a routing module (e.g., routing module 1 ( 142 ), routing module 2 ( 144 ), routing module 3 ( 146 )).
- the routing modules e.g., routing module 1 ( 142 ), routing module 2 ( 144 ), routing module 3 ( 146 )
- the containers e.g., container 1 ( 128 ), container 2 ( 130 ), container 3 ( 132 ) to function as routers.
- routing modules e.g., routing module 1 ( 142 ), routing module 2 ( 144 ), routing module 3 ( 146 )
- containers e.g., container 1 ( 128 ), container 2 ( 130 ), container 3 ( 132 )
- networks e.g., network 1 ( 136 ), network 2 ( 138 ), network 3 ( 139 ), network 4 ( 140 )
- the classifier (not shown) on a NIC (e.g., NIC 1 ( 100 ), NIC 2 ( 102 ), NIC 3 ( 103 ), NIC 4 ( 104 )) uses a set of source and/or destination address ranges to direct uncategorized packets received from a network (e.g., network 1 ( 136 ), network 2 ( 138 ), network 3 ( 139 ), network 4 ( 140 )) to a specific receive ring on the NIC.
- a network e.g., network 1 ( 136 ), network 2 ( 138 ), network 3 ( 139 ), network 4 ( 140 )
- These packets are then sent to the virtual NIC (e.g., virtual NIC 1 ( 106 ), virtual NIC 2 ( 108 ), virtual NIC 3 ( 110 ), virtual NIC 4 ( 112 ), virtual NIC 5 ( 114 ), virtual NIC 6 ( 116 )) associated with the receive ring, passed to the virtual network stack (e.g., virtual network stack 1 ( 122 ), virtual network stack 2 ( 124 ), virtual network stack 3 ( 126 )) connected to the virtual NIC, and sent to the container (e.g., container 1 ( 128 ), container 2 ( 130 ), container 3 ( 132 )) governing the virtual network stack.
- the virtual network stack e.g., virtual network stack 1 ( 122 ), virtual network stack 2 ( 124 ), virtual network stack 3 ( 126 )
- the packets may be processed by the virtual network stacks (e.g., virtual network stack 1 ( 122 ), virtual network stack 2 ( 124 ), virtual network stack 3 ( 126 )) and/or containers (e.g., container 1 ( 128 ), container 2 ( 130 ), container 3 ( 132 )), then routed by the containers to another network (e.g., network 1 ( 136 ), network 2 ( 138 ), network 3 ( 139 ), network 4 ( 140 )).
- the containers e.g., container 1 ( 128 ), container 2 ( 130 ), container 3 ( 132 )
- the container may choose to implement all of the MAC and IP layer functionalities described with the virtual NICs (e.g., virtual NIC 1 ( 106 ), virtual NIC 2 ( 108 ), virtual NIC 3 ( 110 ), virtual NIC 4 ( 112 ), virtual NIC 5 ( 114 ), virtual NIC 6 ( 116 )) or with the virtual network stacks (e.g., virtual network stack 1 ( 122 ), virtual network stack 2 ( 124 ), virtual network stack 3 ( 126 )) on its own.
- the virtual NICs e.g., virtual NIC 1 ( 106 ), virtual NIC 2 ( 108 ), virtual NIC 3 ( 110 ), virtual NIC 4 ( 112 ), virtual NIC 5 ( 114 ), virtual NIC 6 ( 116 )
- the virtual network stacks e.g., virtual network stack 1 ( 122 ), virtual network stack 2 ( 124 ), virtual network stack 3 ( 126 )
- each container e.g., container 1 ( 128 ), container 2 ( 130 ), container 3 ( 132 )
- may choose to govern its virtual network stack e.g., virtual network stack 1 ( 122 ); virtual network stack 2 ( 124 ), virtual network stack 3 ( 126 )), as well as the virtual NICs (e.g., virtual NIC 1 ( 106 ), virtual NIC 2 ( 108 ), virtual NIC 3 ( 110 ), virtual NIC 4 ( 112 ), virtual NIC 5 ( 114 ), virtual NIC 6 ( 116 )) associated with its virtual network stack, such that the virtual network stack and virtual NICs behave as expected.
- virtual network stack e.g., virtual network stack 1 ( 122 ); virtual network stack 2 ( 124 ), virtual network stack 3 ( 126 )
- the virtual NICs e.g., virtual NIC 1 ( 106 ), virtual NIC 2 ( 108 ), virtual NIC 3 ( 110 ), virtual NIC 4 ( 112 ), virtual NIC 5 (
- the routing module e.g., routing module 1 ( 142 ), routing module 2 ( 144 ), routing module 3 ( 146 )) of each container (e.g., container 1 ( 128 ), container 2 ( 130 ), container 3 ( 132 )) may include a routing table (not shown), which stores the best routes to certain network destinations, routing metrics associated with the routes, and the path to the next hop in the route.
- the routing table may be stored in the virtual network stack (e.g., virtual network stack 1 ( 122 ), virtual network stack 2 ( 124 ), virtual network stack 3 ( 126 )) associated with the container (e.g., container 1 ( 128 ), container 2 ( 130 ), container 3 ( 132 )) and used by the routing module (e.g., routing module 1 ( 142 ), routing module 2 ( 144 ), routing module 3 ( 146 )) from the virtual network stack, or used by the virtual network stack itself.
- the routing module e.g., routing module 1 ( 142 ), routing module 2 ( 144 ), routing module 3 ( 146 )
- the routing module uses a routing protocol, such as Router Information Protocol (RIP), Open Shortest Path First (OSPF), or Intermediate System to Intermediate System (IS-IS), to communicate with other routing containers (e.g., container 1 ( 128 ), container 2 ( 130 ), container 3 ( 132 )) and routers.
- RIP Router Information Protocol
- OSPF Open Shortest Path First
- IS-IS Intermediate System to Intermediate System
- the routing table is then built by the routing module (e.g., routing module 1 ( 142 ), routing module 2 ( 144 ), routing module 3 ( 146 )) based on the communications with other routing devices.
- the routing table also includes hierarchical routing features such as Multiprotocol Label Switching (MLPS), allowing packets to be processed more quickly.
- MLPS Multiprotocol Label Switching
- protocols such as MLPS allow the creation of VPNs and traffic engineering policies within the routing module (e.g., routing module 1 ( 142 ), routing module 2 ( 144 ), routing module 3 ( 146 )).
- container 1 ( 128 ) routes between network 1 ( 136 ) and network 2 ( 138 ), container 2 routes between network 2 ( 138 ) and network 3 ( 139 ), and container 3 routes between network 3 ( 139 ) and network 4 ( 140 ).
- a container e.g., container 1 ( 128 ), container 2 ( 130 ), container 3 ( 132 ) may route between more than two networks.
- a single container may route packets between three or more networks (e.g., network 1 ( 136 ), network 2 ( 138 ), network 3 ( 139 ), network 4 ( 140 )) based on source and destination addresses, protocols, packet headers, etc.
- a container e.g., container 1 ( 128 ), container 2 ( 130 ), container 3 ( 132 )
- the container may configure the virtual network stack (e.g., virtual network stack 1 ( 122 ), virtual network stack 2 ( 124 ), virtual network stack 3 ( 126 )) and virtual NICs (e.g., virtual NIC 1 ( 1106 ), virtual NIC 2 ( 108 ), virtual NIC 3 ( 110 ), virtual NIC 4 ( 112 ), virtual NIC 5 ( 114 ), virtual NIC 6 ( 116 )) to perform the routing.
- virtual network stack e.g., virtual network stack 1 ( 122 ), virtual network stack 2 ( 124 ), virtual network stack 3 ( 126 )
- virtual NICs e.g., virtual NIC 1 ( 1106 ), virtual NIC 2 ( 108 ), virtual NIC 3 ( 110 ), virtual NIC 4 ( 112 ), virtual NIC 5 ( 114 ), virtual NIC 6 ( 116 )
- Packets arriving at a virtual network stack may never enter the container (e.g., container 1 ( 128 ), container 2 ( 130 ), container 3 ( 132 )) attached to the virtual network stack.
- the container e.g., container 1 ( 128 ), container 2 ( 130 ), container 3 ( 132 )
- the virtual network stack e.g., virtual network stack 1 ( 122 ), virtual network stack 2 ( 124 ), virtual network stack 3 ( 126 )
- virtual NICs e.g., virtual NIC 1 ( 106 ), virtual NIC 2 ( 108 ), virtual NIC 3 ( 110 ), virtual NIC 4 ( 112 ), virtual NIC 5 ( 114 ), virtual NIC 6 ( 116 )
- the NICs e.g., NIC 1 ( 100 ), NIC 2 ( 102 ), NIC 3 ( 103 ), NIC 4 ( 104 )
- NIC 2 102
- the classifier of NIC 2 ( 102 ) may place the packet in a receive ring corresponding to virtual NIC 2 ( 108 ) or virtual NIC 3 ( 110 ).
- the classifier may use criteria found in the packet, such as source address, destination address, source or destination port, protocol, etc. to place the packet in an appropriate receive ring.
- the packet is then sent to virtual NIC 2 ( 108 ) or virtual NIC 3 ( 110 ), depending on the receive ring in which the packet is placed.
- the virtual NIC ( 108 or 110 ) may then apply MAC layer processing, such as adding or removing a VLAN tag, to the packet, before sending the packet to the virtual network stack (virtual network stack 1 ( 122 ) or virtual network stack 2 ( 124 )) connected to the virtual NIC.
- the MAC layer processing applied to the packet is based on the MAC layer configuration of the virtual NIC ( 108 or 110 ).
- the virtual network stack may also process the packet (e.g., authenticating the packet, encrypting/decrypting the packet, network address translation (NAT), etc.) before sending the packet to the container (container 1 ( 128 ) or container 2 ( 130 )) corresponding to the virtual network stack.
- process the packet e.g., authenticating the packet, encrypting/decrypting the packet, network address translation (NAT), etc.
- NAT network address translation
- the container may process the packet further before sending the packet back to the virtual network stack (virtual network stack 1 ( 122 ) or virtual network stack 2 ( 124 )). Based on the contents of the packet, which may have been altered on its way up to the container (container 1 ( 128 ) or container 2 ( 130 )), the virtual network stack (virtual network stack 1 ( 122 ) or virtual network stack 2 ( 124 )) sends the packet to a particular virtual NIC.
- the virtual network stack virtual network stack 1 ( 122 ) or virtual network stack 2 ( 124 )
- the packet may be sent to virtual NIC 1 ( 106 ) or virtual NIC 2 ( 108 ) depending on the packet's contents, source, and destination.
- virtual network stack 2 ( 124 ) may send the packet to virtual NIC 3 ( 110 ) or virtual NIC 4 ( 112 ).
- container 1 ( 128 ) may route the packet to network 2 ( 138 ) by sending the packet back down virtual network stack 1 ( 122 ) to virtual NIC 2 ( 108 ), where the packet is relayed to NIC 2 ( 102 ) and transmitted over network 2 ( 138 ).
- a packet from network 2 ( 138 ) may be destined for network 3 ( 139 ) or network 1 ( 136 ). Based on the destination address in the packet, the classifier in NIC 2 ( 102 ) places the packet in the receive ring corresponding to the virtual NIC (virtual NIC 2 ( 108 ) or virtual NIC 3 ( 110 )) that is associated with the packet's destination address.
- the classifier in NIC 2 ( 102 ) places the packet in the receive ring corresponding to the virtual NIC (virtual NIC 2 ( 108 ) or virtual NIC 3 ( 110 )) that is associated with the packet's destination address.
- the packet is then routed to the destination network (network 1 ( 136 ) or network 3 ( 139 )) by proceeding up the virtual network stack (virtual network stack 1 ( 122 ) or virtual network stack 2 ( 124 )) connected to the virtual NIC (virtual NIC 2 ( 108 ) or virtual NIC 3 ( 110 )), then back down the virtual network stack and to the other virtual NIC (virtual NIC 1 ( 106 ) or virtual NIC 4 ( 112 )) and NIC (NIC 1 ( 100 ) or NIC 3 ( 103 )) corresponding to the destination network.
- FIG. 2 shows a schematic diagram of a system in accordance with one or more embodiments of the invention.
- FIG. 2 shows a host ( 220 ) with two containers (e.g., container 1 ( 228 ), container 2 ( 230 )).
- Container 1 ( 228 ) includes functionality to route packets between three networks (e.g., network 1 ( 212 ), network 2 ( 214 ), network 3 ( 216 )).
- Each network is associated with a particular NIC (e.g., NIC 1 ( 200 ), NIC 2 ( 202 ), NIC 3 ( 204 )), which is further associated with a virtual NIC (e.g., virtual NIC 1 ( 206 ), virtual NIC 2 ( 208 ), virtual NIC 3 ( 210 )).
- NIC 1 ( 200 ) e.g., NIC 1 ( 200 ), NIC 2 ( 202 ), NIC 3 ( 204 )
- virtual NIC e.g., virtual NIC 1 ( 206 ), virtual
- the routing module ( 234 ) allows container 1 ( 228 ) to direct packets from each of the three networks (e.g., network 1 ( 212 ), network 2 ( 214 ), network 3 ( 216 )) to another of the three networks.
- the routing module ( 234 ) may simply administers routing policies to virtual network stack 1 ( 222 ), and possibly one or more of the virtual NICs (e.g., virtual NIC 1 ( 206 ), virtual NIC 2 ( 208 ), virtual NIC 3 ( 210 )), which implement the routing of packets from one network (e.g., network 1 ( 212 ), network 2 ( 214 ), network 3 ( 216 )) to another.
- One or more of the virtual NICs e.g., virtual NIC 1 ( 206 ), virtual NIC 2 ( 208 ), virtual NIC 3 ( 210 )
- network 1 ( 212 ) is associated with IP address 10.1.51.0
- network 2 ( 214 ) is associated with the IP address of 10.1.52.0
- network 3 ( 216 ) is associated with the IP address of 10.1.53.0
- the subnet mask contains a value of 255.255.255.0
- a packet from network 1 ( 212 ) with a destination address of 10.1.53.1 will be routed to network 3 ( 216 ) by container 1 ( 228 ) and/or virtual network stack 1 ( 222 ).
- a packet from network 2 ( 214 ) with a destination IP address of 10.1.51.3 will be routed to network 1 ( 212 ).
- container 2 ( 230 ) does not perform routing on incoming or outgoing packets because container 2 ( 230 ) is connected to virtual network stack 2 ( 224 ), which is only connected to virtual NIC 4 ( 211 ) and NIC 4 ( 205 ), container 2 ( 230 ) is only accessible by one network (i.e., network 4 ( 217 )).
- container 2 ( 230 ) may process packets and provide services, such as email or database lookup, container 2 ( 230 ) does not function as a router.
- container 1 ( 228 ) and container 2 ( 230 ) operate independently from one another.
- container 1 ( 228 ) does not receive the same traffic as container 2 ( 230 ), perform the same functions as container 2 ( 230 ), or even acknowledge the existence of container 2 ( 230 ). Consequently, containers (e.g., container 1 ( 228 ), container 2 ( 230 )) on the host ( 220 ) provide separate paths for different types of network traffic, ensure that the traffic is routed correctly and ensure that the data paths do not overlap.
- a host ( 220 ) may include one or more routing containers (e.g., container 1 ( 228 )) and one or more non-routing containers (e.g., container 2 ( 230 )), as needed, such that all network traffic received by the host is processed and routed appropriately and independently.
- FIG. 3 shows a schematic diagram of a system in accordance with one or more embodiments of the invention.
- the system of FIG. 3 shows another host ( 330 ) with two routing containers (i.e., container 1 ( 342 ), container 2 ( 344 )).
- Container 1 ( 342 ) is associated with virtual network stack 1 ( 332 ), as well as three virtual NICs (virtual NIC 1 ( 306 ), virtual NIC 2 ( 308 ), virtual NIC 4 ( 312 )).
- Virtual NIC 1 ( 306 ) is connected to NIC 1 ( 300 ), which is in turn connected to network 1 ( 336 ).
- Virtual NIC 2 ( 308 ) is associated with to NIC 2 ( 302 ), which is linked to network 2 ( 338 ).
- container 1 ( 342 ) may route packets between network 1 ( 336 ) and network 2 ( 338 ).
- Container 2 ( 344 ) is connected to virtual network stack 2 ( 334 ) and two virtual NICs (e.g., virtual NIC 3 ( 310 ), virtual NIC 5 ( 314 )).
- Virtual NIC 3 leads to NIC 3 ( 304 ) and network 3 ( 340 ).
- container 1 ( 342 ) and container 2 ( 344 ) are linked through a virtual switch ( 350 ) via virtual NIC 4 ( 312 ) and virtual NIC 5 ( 314 ).
- the virtual switch ( 350 ) functions as a software equivalent of a network switch.
- the virtual switch ( 350 ) performs transparent bridging of network segments (i.e., virtual network stacks) within the host ( 330 ).
- virtual network stack 1 ( 332 ) may transmit packets to and receive packets from virtual network stack 2 ( 334 ) by using the virtual switch ( 350 ) and related virtual NICs (e.g., virtual NIC 4 ( 312 ), virtual NIC 5 ( 314 )).
- all virtual network stacks e.g., virtual network stack 1 ( 332 ), virtual network stack 2 ( 334 )
- a virtual switch ( 350 ) are registered in the virtual switch's address table (not shown).
- the virtual switch ( 350 ) routes packets to their destinations using the address table.
- the destination address is checked against the entries in the address table.
- the packet is forwarded directly to the virtual NIC (e.g., virtual NIC 1 ( 306 ), virtual NIC 2 ( 308 ), virtual NIC 3 ( 310 )) associated with the match, which then forwards the packet to the corresponding virtual network stack (e.g., virtual network stack 1 ( 332 ), virtual network stack 2 ( 334 )) or to the network (e.g., network 1 ( 336 ), network 2 ( 338 ), network 3 ( 340 )). If a match is not found, the packet is dropped.
- the virtual switch corresponds to the virtual switch disclosed in the co-pending patent application entitled “Virtual Switch” (application Ser. No. 11/480,261) and assigned to assignee of the present application. The aforementioned patent application is hereby incorporated by reference.
- a routing container (e.g., container 1 ( 342 ), container 2 ( 344 )) may route packets between the networks (e.g., network 1 ( 336 ), network 2 ( 338 ), network 3 ( 340 )) the container is directly connected to, as well as other networks indirectly linked to the container using a virtual switch ( 350 ).
- a virtual switch 350
- connecting the two containers i.e., container 1 ( 342 ) and container 2 ( 344 )
- container 2 ( 344 ) may route packets between the internal virtual network and network 3 ( 340 ).
- Container 1 ( 342 ) may route packets between network 1 ( 336 ) and network 2 ( 338 ), as well as between network 1 ( 336 ) and the internal virtual network or between network 2 ( 338 ) and the internal virtual network. Further, packets sent to network 1 ( 336 ) or network 2 ( 338 ) from network 3 ( 340 ) may be transmitted to the internal virtual network from network 3 ( 340 ), where the packets are routed to virtual network stack 1 ( 332 ) and onto the destination network (e.g., network 1 ( 336 ), network 2 ( 338 )).
- packets sent from network 1 ( 336 ) or network 2 ( 338 ) to network 3 ( 340 ) may be sent to the internal virtual network and then routed by the virtual switch ( 350 ) to virtual network stack 2 ( 334 ) and further to network 3 ( 340 ).
- the packet is sent to container 1 ( 342 ) for any additional processing, then returned to virtual network stack 1 ( 332 ), which subsequently sends the packet to virtual NIC 4 ( 312 ).
- Virtual NIC 4 ( 312 ) subsequently sends the packet to virtual switch ( 350 ).
- the virtual switch ( 350 ) sends the packet to virtual NIC 5 ( 314 ) by matching the address in the packet header with an entry in its address table.
- Virtual NIC 5 ( 314 ) then sends the packet to virtual network stack 2 ( 334 ) and/or container 2 ( 342 ), possibly for further processing, before container 2 ( 342 ) and/or virtual network stack 2 ( 344 ) sends the packet down to virtual NIC 3 ( 310 ) to network 3 ( 340 ).
- the system of FIG. 3 serves to separate an internal network and an external network.
- network 3 ( 340 ) is an external network and network 1 ( 336 ) and network 2 ( 338 ) are two sub-networks of an internal network.
- container 1 ( 342 ) is used for the internal networks
- container 2 ( 344 ) is used for the external networks.
- Traffic from the external network to the internal networks must be permitted through virtual network stack 2 ( 334 ) in order to reach the virtual switch ( 350 ) and the other virtual NICs ( 308 , 310 ).
- traffic from the internal networks must be directed by virtual network stack 1 ( 332 ) to the virtual switch ( 350 ) before the traffic reaches the external network (e.g., network 3 ( 340 )).
- FIG. 4 shows a routing module in accordance with one or more embodiments of the invention.
- the routing module ( 400 ) includes a routing protocol ( 405 ), a routing table ( 410 ), a security protocol ( 415 ), an address resolution utility ( 420 ), and an address translation utility ( 425 ).
- each of these components may be implemented within a container, or by the virtual network stack and/or virtual NIC associated with the container.
- each routing module ( 400 ) may include all of or only a subset of the components shown in FIG. 4 . The aforementioned components are described in detail below.
- the routing table ( 410 ) is used to direct outgoing packets by matching destination addresses of the packets to the network paths used to reach them. In one or more embodiments of the invention, the routing table ( 410 ) lists the next hop to a destination. As mentioned previously, the routing table ( 410 ) may also implement a hierarchical routing architecture, such as MPLS, such that a single table entry can effectively select the next several hops and reduce table lookups, or so that a VPN may be implemented.
- MPLS hierarchical routing architecture
- a routing table ( 410 ) is created using the routing protocol ( 405 ).
- the routing protocol ( 405 ) determines the next hop in the network path using a shortest path algorithm, such as Dijkstra's algorithm, and fills in the routing table ( 410 ) with the next hop for any given destination address.
- Routing protocols include, but are not limited to, Open Shortest Path First (OSPF), Routing Information Protocol (RIP), and Intermediate System to Intermediate System (IS-IS). Different routing protocols ( 405 ) may used based on the type of network the packets are transmitted over.
- each routing protocol may use routing metrics, such as bandwidth, delay, hop count, path cost, load, Maximum Transmission Unit (MTU), reliability, and communication costs, to determine along which route to send packets.
- OSPF Open Shortest Path First
- RIP Routing Information Protocol
- IS-IS Intermediate System to Intermediate System
- the security protocol ( 415 ) secures network data by providing encryption and/or authentication of packets.
- the security protocol ( 415 ) may be used to create a VPN.
- An example of a security protocol ( 415 ) is IPsec. IPsec provides secure packet flows by the use of authentication headers (AH) in packets, as well as cryptographic protocols for data confidentiality in its encapsulating security payload (ESP).
- Other security protocols ( 415 ) include Secure Sockets Layer (SSL) and Transport Layer Security (TLS).
- an address resolution utility ( 420 ) is used by the routing module ( 400 ) to determine a host's hardware address from a network address, or vice versa.
- Examples of address resolution utilities include Address Resolution Protocol (ARP) and Inverse ARP.
- ARP Address Resolution Protocol
- the address resolution utility ( 420 ) may be used if one host sends a packet to another host, and knows the IP address but not the MAC address of the other host. In such cases, an ARP request is broadcast by the first host and received by the second host, which replies with the missing information.
- the address resolution utility ( 420 ) may also be used if the MAC address of the other host is known, but not the IP address.
- the address translation utility ( 425 ) rewrites the source and/or destination addresses of packets as they pass through the routing module ( 400 ) or the virtual network stack implementing the address translation.
- address translation allows multiple hosts on a private network to access other networks, such as the Internet, using a single IP address. For example, if the routing module ( 400 ) is responsible for routing traffic between two networks, outgoing packets from the first network may have their source IP addresses rewritten to a specific value by the address translation utility ( 425 ) before being sent to the second network.
- the address translation utility ( 425 ) may also provide a firewall for a network by preventing hosts outside the network from reaching devices within the network.
- FIG. 5 shows a flow diagram of a system setup in accordance with one or more embodiments of the invention.
- the network requirements may include network services (e.g., web, email, database, file transfer, etc.), routing capabilities between multiple networks, firewalls, VPNs, VLANs, etc.
- a container is created to handle a network requirement (Step 503 ).
- multiple network requirements may be satisfied with one container, or more containers.
- a single container may include functionality to route packets and serve as a firewall.
- multiple containers may be required to implement a demilitarized zone (DMZ).
- DMZ demilitarized zone
- a virtual network stack is created for the container (Step 505 ) and connected to the container (Step 507 ). As stated above, the virtual network stack is responsible for handling and processing packets at the transport and network layers.
- the routing module for the container is configured (Step 509 ). Configuring the routing module may include specifying the routing protocol, creating the routing table from the routing protocol, setting up a security protocol, enabling address resolution and translation, etc. The steps of configuring the routing module may be performed by an administrator, or may be automatically completed by processes running on the host. Those skilled in the art will appreciate that basic routing configuration steps may be automated, with customization steps performed manually by an administrator if needed.
- a virtual NIC corresponding to a NIC is then created (Step 511 ).
- each receive ring on the NIC corresponds to a virtual network, such as a VLAN.
- the virtual NIC is then associated with one or more of the receive rings on the NIC.
- packets from that VLAN are separated at the NIC level and remain separated, while in the host, from packets from other VLANs connected to the NIC.
- each receive ring on the NIC is simply associated with a set of addresses (e.g., IP addresses, MAC addresses, etc.). Consequently, a virtual NIC connected to a specific receive ring may only receive packets for the set of addresses associated with the receive ring. Packets sent from the virtual NIC to the NIC are correspondingly placed in one or more transmits rings within the NIC.
- the container is connected to the virtual NIC (Step 513 ).
- the NIC is then configured to handle network traffic for the container (Step 515 ).
- the classifier on the NIC is programmed to place packets with certain characteristics, such as source address, destination address, protocol, etc. in the receive ring associated with the virtual NIC.
- Step 517 When the container is connected to the network through the virtual network stack, virtual NIC, and NIC, a determination is made about whether additional connections are needed (Step 517 ).
- Step 519 a determination is made about whether all network requirements are handled. If so, the setup is complete. If not, (Steps 503 - 519 ) are repeated until all network requirements are fulfilled.
- FIG. 6 shows a flow diagram of packet routing in accordance with one or more embodiments of the invention.
- the packet is received in a NIC (Step 601 ).
- the packet is then classified (Step 603 ) by the classifier on the NIC and placed in the appropriate receive ring (Step 605 ) of the NIC.
- the classifier may use one or more fields in the packet header, or even the packet contents, to classify the packet.
- the classifier if the packet cannot be classified into a specific receive ring, the classifier places the packet into a default receive ring on the NIC, which is connected to a routing container. The routing container is then able to direct the packet in the appropriate direction upon receiving the packet.
- the packet is sent to the virtual NIC (Step 607 ) connected to the receive ring.
- the virtual NIC may then apply MAC layer processing to the packet (Step 609 ) if necessary.
- the MAC layer processing may be based on the MAC layer configuration of the virtual NIC.
- MAC layer configurations may include VPN tunnel functionalities, VLAN tags, etc.
- the packet is then sent to the container (Step 611 ), where the packet is processed (Step 613 ).
- the packet may alternatively be processed by the virtual network stack associated with the container, if routing capabilities are implemented in the virtual network stack and configured by the container.
- the packet may be processed by applying network address translation (NAT), encryption/decryption, authentication, etc.
- NAT network address translation
- the source and destination addresses of the packet are examined to determine if the packet needs to be routed further (Step 615 ). For example, if the packet is destined for the container, the packet does not need to be routed further.
- the packet will need to be configured for routing (Step 617 ) by making address changes, adding and removing headers, such as in MPLS, and/or applying any cryptographic or authentication algorithms to the packet contents.
- the packet is then sent through the virtual network stack to the appropriate virtual NIC (Step 619 ), where the packet is relayed to its destination (Step 621 ).
- each virtual NIC corresponds to a particular network connected to the NIC. Sending the packet to a virtual NIC ensures that the packet will be sent out on the network associated with the virtual NIC.
- the packet may be sent from the virtual NIC through a virtual switch to another virtual NIC, where the packet is sent out on another network.
- the first virtual NIC and virtual switch correctly send the packet to the second virtual NIC based on the contents of the packet and the address table of the virtual switch.
- a computer system ( 700 ) includes a processor ( 702 ), associated memory ( 704 ), a storage device ( 706 ), and numerous other elements and functionalities typical of today's computers (not shown).
- the computer ( 700 ) may also include input means, such as a keyboard ( 708 ) and a mouse ( 710 ), and output means, such as a monitor ( 712 ).
- the computer system ( 700 ) is connected to a local area network (LAN) or a wide area network (e.g., the Internet) (not shown) via a network interface connection (not shown).
- LAN local area network
- a wide area network e.g., the Internet
- one or more elements of the aforementioned computer system ( 700 ) may be located at a remote location and connected to the other elements over a network.
- the invention may be implemented on a distributed system having a plurality of nodes, where each portion of the invention (e.g., virtual NIC, virtual network stack, container, etc.) may be located on a different node within the distributed system.
- the node corresponds to a computer system.
- the node may correspond to a processor with associated physical memory.
- the node may alternatively correspond to a processor with shared memory and/or resources.
- software instructions to perform embodiments of the invention may be stored on a computer readable medium such as a compact disc (CD), a diskette, a tape, a file, or any other computer readable storage device.
Abstract
Description
- The present application contains subject matter that may be related to the subject matter in the following U.S. applications filed on Apr. 22, 2005, and assigned to the assignee of the present application: “Method and Apparatus for Managing and Accounting for Bandwidth Utilization Within A Computing System” with U.S. application Ser. No. 11/112,367 (Attorney Docket No. 03226/643001; SUN050681); “Method and Apparatus for Consolidating Available Computing Resources on Different Computing Devices” with U.S. application Ser. No. 11/112,368 (Attorney Docket No. 03226/644001; SUN050682); “Assigning Higher Priority to Transactions Based on Subscription Level” with U.S. application Ser. No. 11/112,947 (Attorney Docket No. 03226/645001; SUN050589); “Method and Apparatus for Dynamically Isolating Affected Services Under Denial of Service Attack” with U.S. application Ser. No. 11/112,158 (Attorney Docket No. 03226/646001; SUN050587); “Method and Apparatus for Improving User Experience for Legitimate Traffic of a Service Impacted by Denial of Service Attack” with U.S. application Ser. No. 11/112,629 (Attorney Docket No. 03226/647001; SUN050590); “Method and Apparatus for Limiting Denial of Service Attack by Limiting Traffic for Hosts” with U.S. application Ser. No. 11/112,328 (Attorney Docket No. 03226/648001; SUN050591); “Hardware-Based Network Interface Per-Ring Resource Accounting” with U.S. application Ser. No. 11/112,222 (Attorney Docket No. 03226/649001; SUN050593); “Dynamic Hardware Classification Engine Updating for a Network Interface” with U.S. application Ser. No. 11/112,934 (Attorney Docket No. 03226/650001; SUN050592); “Network Interface Card Resource Mapping to Virtual Network Interface Cards” with U.S. application Ser. No. 11/112,063 (Attorney Docket No. 03226/651001; SUN050588); “Network Interface Decryption and Classification Technique” with U.S. application Ser. No. 11/112,436 (Attorney Docket No. 03226/652001; SUN050596); “Method and Apparatus for Enforcing Resource Utilization of a Container” with U.S. application Ser. No. 11/112,910 (Attorney Docket No. 03226/653001; SUN050595); “Method and Apparatus for Enforcing Packet Destination Specific Priority Using Threads” with U.S. application Ser. No. 11/112,584 (Attorney Docket No. 03226/654001; SUN050597); “Method and Apparatus for Processing Network Traffic Associated with Specific Protocols” with U.S. application Ser. No. 11/112,228 (Attorney Docket No. 03226/655001; SUN050598).
- The present application contains subject matter that may be related to the subject matter in the following U.S. applications filed on Oct. 21, 2005, and assigned to the assignee of the present application: “Method and Apparatus for Defending Against Denial of Service Attacks” with U.S. application Ser. No. 11/255,366 (Attorney Docket No. 03226/688001; SUN050966); “Router Based Defense Against Denial of Service Attacks Using Dynamic Feedback from Attacked Host” with U.S. application Ser. No. 11/256,254 (Attorney Docket No. 03226/689001; SUN050969); and “Method and Apparatus for Monitoring Packets at High Data Rates” with U.S. application Ser. No. 11/226,790 (Attorney Docket No. 03226/690001; SUN050972).
- The present application contains subject matter that may be related to the subject matter in the following U.S. applications filed on Jun. 30, 2006, and assigned to the assignee of the present application: “Network Interface Card Virtualization Based On Hardware Resources and Software Rings” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/870001; SUN061020); “Method and System for Controlling Virtual Machine Bandwidth” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/871001; SUN061021); “Virtual Switch” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/873001; SUN061023); “System and Method for Virtual Network Interface Cards Based on Internet Protocol Addresses” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/874001; SUN061024); “Virtual Network Interface Card Loopback Fastpath” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/876001; SUN061027); “Bridging Network Components” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/877001; SUN061028); “Reflecting the Bandwidth Assigned to a Virtual Network Interface Card Through Its Link Speed” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/878001; SUN061029); “Method and Apparatus for Containing a Denial of Service Attack Using Hardware Resources on a Virtual Network Interface Card” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/879001; SUN061033); “Virtual Network Interface Cards with VLAN Functionality” with U.S. application Ser. No. TBD (Attorney Docket No 03226/882001; SUN061037); “Method and Apparatus for Dynamic Assignment of Network Interface Card Resources” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/883001; SUN061038); “Generalized Serialization Queue Framework for Protocol Processing” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/884001; SUN061039); “Serialization Queue Framework for Transmitting Packets” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/885001; SUN061040).
- The present application contains subject matter that may be related to the subject matter in the following U.S. applications filed on Jul. 20, 2006, and assigned to the assignee of the present application: “Low Impact Network Debugging” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/829001; SUN060545); “Reflecting Bandwidth and Priority in Network Attached Storage I/O” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/830001; SUN060587); “Priority and Bandwidth Specification at Mount Time of NAS Device Volume” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/831001; SUN060588); “Notifying Network Applications of Receive Overflow Conditions” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/869001; SUN060913); “Host Operating System Bypass for Packets Destined for a Virtual Machine” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/872001; SUN061022); “Multi-Level Packet Classification” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/875001; SUN061026); “Method and System for Automatically Reflecting Hardware Resource Allocation Modifications” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/881001; SUN061036); “Multiple Virtual Network Stack Instances Using Virtual Network Interface Cards” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/888001; SUN061041); “Method and System for Network Configuration for Containers” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/889001; SUN061044); “Network Memory Pools for Packet Destinations and Virtual Machines” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/890001; SUN061062); “Method and System for Network Configuration for Virtual Machines” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/893001; SUN061171); “Multiple Virtual Network Stack Instances” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/896001; SUN061198); and “Shared and Separate Network Stack Instances” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/898001; SUN061200).
- The present application contains subject matter that may be related to the subject matter in the following U.S. applications filed on Nov. 28, 2006, and assigned to the assignee of the present application: “Virtual Network Testing and Deployment using Network Stack Instances and Containers” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/892001; SUN061072) and “Method and System for Creating A Demilitarized Zone using Network Stack Instances” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/891001; SUN061071) filed on Dec. 20, 2006.
- The present application contains subject matter that may be related to the subject matter in the following U.S. application filed on Dec. 20, 2006, and assigned to the assignee of the present application: “Network Stack Instance Architecture with Selection of Transport Layers” with U.S. application Ser. No. TBD (Attorney Docket No. 03226/854001; SUN061184).
- Network traffic is transmitted over a network, such as the Internet, from a sending computer system, via a first network interface card (NIC), to a receiving computer system via a second NIC. The NIC is a piece of hardware found in a typical computer system that includes functionality to send and receive network traffic. Typically, network traffic is transmitted in the form of packets, where each packet includes a header and a payload. The header contains information regarding the source address, destination address, size, transport protocol used to transmit the packet, and various other identification information associated with the packet. The payload contains the actual data to be transmitted from the network to the receiving system.
- Each of the packets sent between the sending system and receiving system is typically transmitted through one or more connections. The connections may occur on a physical level. For example, the packets may be transmitted as signals (e.g., electrical, optical, etc) between the two systems through a variety of cables, routers, transmitters, receivers, and/or other interconnected hardware. In addition, the connections may occur on a logical level. For example, in order for the sending system and receiving system to communicate with one another, packets must properly reach the receiving system from the sending system. The receiving device must also recognize that the packets received are indeed meant for the receiving device and separate the packets from other incoming signals. Networking protocols dictate the rules for data representation, signaling, transfer, authentication, and error detection required to transmit information between the sending system and receiving system.
- The Open Systems Interconnection Reference Model (OSI model) describes seven different layers that define requirements for communications between two computer systems. The OSI model was developed to enable interoperability between platforms offered by various vendors. Each layer of the OSI model performs services for the layer above and requests services from the layer below. In order from lowest to highest, the layers of the OSI model are: (i) the physical layer, which defines the electrical and physical specifications for devices, (ii) the data link layer, which specifies the transfer of data between network entities, (iii) the network layer, which describes the transmission of variable length data sequences from a source to a destination via one or more networks, (iv) the transport layer, which transfers data between end users, (v) the session layer, which opens, maintains, and closes connections between network devices, (vi) the presentation layer, which transforms data into a form usable by an application, and finally, (vii) the application layer, which allows a user to access the information transmitted over the network.
- In general, in one aspect, the invention relates to a method for routing a packet. The method includes receiving the packet in a network interface card (NIC), classifying the packet, placing the packet in a receive ring of the NIC, sending the packet to a virtual NIC associated with the receive ring, sending the packet to a first container associated with the virtual NIC, and routing the packet to a packet destination using the first container.
- In general, in one aspect, the invention relates to a system for routing a packet. The system includes a host comprising a first container; and a network interface card (NIC) operatively connected to the host. In one embodiment of the invention, the host is configured to receive the packet in the NIC, classify the packet, place the packet in a receive ring of the NIC, send the packet to a virtual NIC associated with the receive ring, send the packet to the first container associated with the virtual NIC, and route the packet to a packet destination using the first container.
- In general, in one aspect, the invention relates to a computer usable medium having computer readable program code embodied therein for causing a computer system to execute a method for configuring a network. The method includes receiving the packet in a network interface card (NIC), classifying the packet, placing the packet in a receive ring of the NIC, sending the packet to a virtual NIC associated with the receive ring, sending the packet to a first container associated with the virtual NIC, and routing the packet to the packet destination using the first container.
- Other aspects of the invention will be apparent from the following description and the appended claims.
-
FIGS. 1-3 show schematic diagrams in accordance with one or more embodiments of the invention. -
FIG. 4 shows a routing module in accordance with one or more embodiments of the invention. -
FIGS. 5-6 show flow diagrams in accordance with one or more embodiments of the invention. -
FIG. 7 shows a computer system in accordance with one or more embodiments of the invention. - Specific embodiments of the invention will now be described in detail with reference to the accompanying figures. Like elements in the various figures are denoted by like reference numerals for consistency.
- In the following detailed description of embodiments of the invention, numerous specific details are set forth in order to provide a more thorough understanding of the invention. However, it will be apparent to one of ordinary skill in the art that the invention may be practiced without these specific details. In other instances, well-known features have not been described in detail to avoid unnecessarily complicating the description.
- In general, embodiments of the invention provide a method and system to route packets using containers within a host. In one embodiment of the invention, containers correspond to isolated execution environments within the host, which are associated with one or more network interface cards (NICs). In addition, each container is associated with one or more virtual NICs. In one embodiment of the invention, the virtual NICs may implement a Media Access Control (MAC) layer configuration, such as a virtual Local Area Network (VLAN), Virtual Private Network (VPN) tunnel, etc. Embodiments of the invention allow arbitrary network topologies and configurations to exist inside a single host, with dynamic routing of packets within containers.
-
FIG. 1 shows a schematic diagram of a system in accordance with one or more embodiments of the invention. As shown inFIG. 1 , the system includes a host (101), multiple NICs (e.g., NIC 1 (100), NIC 2 (102), NIC 3 (103), NIC 4 (104)) connected to different networks (e.g., network 1 (136), network 2 (138), network 3 (139), network 4 (140)), multiple containers (e.g., container 1 (128), container 2 (130), container 3 (132)), each of which is connected to a virtual network stack (e.g., virtual network stack 1 (122), virtual network stack 2 (124), virtual network stack 3 (126)), which is further connected to a virtual NIC (e.g., virtual NIC 1 (106), virtual NIC 2 (108), virtual NIC 3 (110), virtual NIC 4 (112), virtual NIC 5 (114), virtual NIC 6 (116)), a container management module (134), and a virtual switch (350) connecting the virtual NICs. Each of these components is described below. - In one embodiment of the invention, each NIC (e.g., NIC 1 (100), NIC 2 (102), NIC 3 (103), NIC 4 (104)) provides an interface between the host (101) and a network (e.g., network 1 (136), network 2 (138), network 3 (139), network 4 (140)) (e.g., a local area network, a wide area network, a wireless network, etc.). More specifically, each of the NICs (e.g., NIC 1 (100), NIC 2 (102), NIC 3 (103), NIC 4 (104)) includes a network interface (NI) (i.e., the hardware on the NIC used to interface with the network) (not shown). For example, the NI may correspond to an RJ-45 connector, a wireless antenna, etc. The packets received by the NI are then forwarded to other components on the NIC (e.g., NIC 1 (100), NIC 2 (102), NIC 3 (103), NIC 4 (104)) for processing. In one embodiment of the invention, each NIC (e.g., NIC 1 (100), NIC 2 (102), NIC 3 (103), NIC 4 (104)) includes one or more receive rings (not shown) and functionality to analyze each packet and determine to which receive ring the packet should be forwarded. In one embodiment of the invention, the receive rings correspond to portions of memory within the NIC (e.g., NIC 1 (100), NIC 2 (102), NIC 3 (103), NIC 4 (104)) used to temporarily store packets received from the network. Further, in one embodiment of the invention, a ring element of the receive rings may point to host memory.
- In one or more embodiments of the invention, analyzing individual packets includes determining to which of the receive rings each packet is forwarded. In one embodiment of the invention, analyzing the packets by a classifier (not shown) on each NIC (e.g., NIC 1 (100), NIC 2 (102), NIC 3 (103), NIC 4 (104)) includes analyzing one or more fields in each of the packets to determine to which of the receive rings the packets are forwarded. As an alternative, the classifier may use the contents of one or more fields in each packet as an index into a data structure that includes information necessary to determine to which receive ring that packet is forwarded. The classifiers may be implemented entirely in hardware (i.e., a classifier may be a separate microprocessor embedded on a NIC (e.g., NIC 1 (100), NIC 2 (102), NIC 3 (103), NIC 4 (104))). Alternatively, the classifiers may be implemented in software stored in memory (e.g., firmware, etc.) on the NIC and executed by a microprocessor on the NIC (e.g., NIC 1 (100), NIC 2 (102), NIC 3 (103), NIC 4 (104)).
- In one or more embodiments of the invention, the host (101) may include a device driver (not shown) and one or more virtual NICs (e.g., virtual NIC 1 (106), virtual NIC 2 (108), virtual NIC 3 (110), virtual NIC 4 (112), virtual NIC 5 (114), virtual NIC 6 (116)). In one embodiment of the invention, the device driver provides an interface between the receive rings on a NIC (e.g., NIC 1 (100), NIC 2 (102), NIC 3 (103), NIC 4 (104)) and the host (101). More specifically, the device driver exposes the receive rings on the NICs (e.g., NIC 1 (100), NIC 2 (102), NIC 3 (103), NIC 4 (104)) to the host (101). In one embodiment of the invention, each of the virtual NICs (e.g., virtual NIC 1 (106), virtual NIC 2 (108), virtual NIC 3 (110), virtual NIC 4 (112), virtual NIC 5 (114), virtual NIC 6 (116)) is associated with one or more receive rings on a NIC (e.g., NIC 1 (100), NIC 2 (102), NIC 3 (103), NIC 4 (104)). In other words, a virtual NIC (e.g., virtual NIC 1 (106), virtual NIC 2 (108), virtual NIC 3 (110), virtual NIC 4 (112), virtual NIC 5 (114), virtual NIC 6 (116)) receives incoming packets from the corresponding receive ring. In one or more embodiments of the invention, outgoing packets are forwarded from a virtual NIC (e.g., virtual NIC 1 (106), virtual NIC 2 (108), virtual NIC 3 (110), virtual NIC 4 (112), virtual NIC 5 (114), virtual NIC 6 (116)) to a corresponding transmit ring (not shown), which temporarily stores the packet before transmitting the packet over the network. In one or more embodiments of the invention, receive rings and transmit rings are implemented as ring buffers in either software or hardware.
- In one or more embodiments of the invention, the virtual NICs (e.g., virtual NIC 1 (106), virtual NIC 2 (108), virtual NIC 3 (110), virtual NIC 4 (112), virtual NIC 5 (114), virtual NIC 6 (116)) are operatively connected to containers (e.g., container 1 (128), container 2 (130), container 3 (132)) via virtual network stacks (e.g., virtual network stack 1 (122), virtual network stack 2 (124), virtual network stack 3 (126)). The virtual NICs (e.g., virtual NIC 1 (106), virtual NIC 2 (108), virtual NIC 3 (110), virtual NIC 4 (112), virtual NIC 5 (114), virtual NIC 6 (116)) provide an abstraction layer between the NICs (e.g., NIC 1 (100), NIC 2 (102), NIC 3 (103), NIC 4 (104)) and the containers (e.g., container 1 (128), container 2 (130), container 3 (132)) on the host (101). More specifically, each virtual NIC (e.g., virtual NIC 1 (106), virtual NIC 2 (108), virtual NIC 3 (110), virtual NIC 4 (112), virtual NIC 5 (114), virtual NIC 6 (116)) operates like a NIC (e.g., NIC 1 (100), NIC 2 (102), NIC 3 (103), NIC 4 (104)). For example, in one or more embodiments of the invention, each virtual NIC (e.g., virtual NIC 1 (106), virtual NIC 2 (108), virtual NIC 3 (110), virtual NIC 4 (112), virtual NIC 5 (114), virtual NIC 6 (116)) is associated with one or more IP addresses one or more MAC addresses. Further, each virtual NIC may be optionally associated with one or more ports, and configured to handle one or more protocol types. As a result, containers (e.g., container 1 (128), container 2 (130), container 3 (132)) on the host (101) are unable to distinguish a virtual NIC (e.g., virtual NIC 1 (106), virtual NIC 2 (108), virtual NIC 3 (110), virtual NIC 4 (112), virtual NIC 5 (114), virtual NIC 6 (116)) from a physical NIC (e.g., NIC 1 (100), NIC 2 (102), NIC 3 (103), NIC 4 (104)).
- In one or more embodiments of the invention, the virtual NICs (e.g., virtual NIC 1 (106), virtual NIC 2 (108), virtual NIC 3 (110), virtual NIC 4 (112), virtual NIC 5 (114), virtual NIC 6 (116)) are associated with a MAC layer (not shown), which is responsible for moving data packets between the NIC and virtual NICs, as well as between other NICs on other hosts, using MAC protocols. The MAC layer is also responsible for ensuring that collisions do not occur when signals are sent from multiple devices at the same time. In addition, the virtual NICs (e.g., virtual NIC 1 (106), virtual NIC 2 (108), virtual NIC 3 (110), virtual NIC 4 (112), virtual NIC 5 (114), virtual NIC 6 (116)) may implement a MAC layer configuration, such as a virtual LAN, VPN tunnel, etc.
- In one or more embodiments of the invention, each virtual network stack (e.g., virtual network stack 1 (122), virtual network stack 2 (124), virtual network stack 3 (126)) includes functionality to process packets in accordance with various protocols used to send and receive packets (e.g., Transmission Control Protocol (TCP), Internet Protocol (IP), User Datagram Protocol (UDP), etc.). Further, each virtual network stack may also include functionality, as needed, to perform additional processing on the incoming and outgoing packets. This additional processing may include, but is not limited to, cryptographic processing, firewall routing, etc.
- In one or more embodiments of the invention, the virtual network stacks (e.g., virtual network stack 1 (122), virtual network stack 2 (124), virtual network stack 3 (126)) correspond to network stacks with network layer and transport layer functionality. In one embodiment of the invention, network layer functionality corresponds to functionality to manage packet addressing and delivery on a network (e.g., functionality to support IP, Address Resolution Protocol (ARP), Internet Control Message Protocol, etc.). In one embodiment of the invention, transport layer functionality corresponds to functionality to manage the transfer of packets on the network (e.g., functionality to support TCP, UDP, Stream Control Transmission Protocol (SCTP), etc.). In one or more embodiments of the invention, the virtual network stacks (e.g., virtual network stack 1 (122), virtual network stack 2 (124), virtual network stack 3 (126)) implement an IP layer (not shown) and a TCP layer (not shown).
- As shown in
FIG. 1 , the host (101) includes a global container (not shown) and a number of non-global containers (e.g., container 1 (128), container 2 (130), container 3 (132)). The global container corresponds to an isolated execution environment within the host (101). Further, each non-global container (e.g., container 1 (128), container 2 (130), container 3 (132)) corresponds to an isolated execution environment within the global container. All of the containers (global and non-global) share a common kernel, and as a result, execute the same operating system. While all of the containers share a common kernel, the non-global containers (e.g., container 1 (128), container 2 (130), container 3 (132)) are configured such that processes executing in a given non-global container are restricted to execute in the non-global container and have no access to resources not assigned to the non-global container. The isolated execution environments of each non-global container (e.g., container 1 (128), container 2 (130), container 3 (132)) as well as the global container are managed by a container management component (not shown) executing on the host (101). The container management component typically executes outside of the global container. An example of a container is a Solaris™ Container. (Solaris is a trademark of Sun Microsystems, Inc. of California, USA) - Each of the non-global containers (e.g., container 1 (128), container 2 (130), container 3 (132)) is configured to send and receive packets to and from the NICs (e.g., NIC 1 (100), NIC 2 (102), NIC 3 (103), NIC 4 (104)). The virtual network stacks (e.g., virtual network stack 1 (122), virtual network stack 2 (124), virtual network stack 3 (126)) connected to the non-global containers (e.g., container 1 (128), container 2 (130), container 3 (132)) process outgoing packets before transmitting the packets to other containers or hosts; the virtual network stacks also process incoming packets from other sources before sending the packets to the containers. In one or more embodiments of the invention, each non-global container (e.g., container 1 (128), container 2 (130), container 3 (132)) and the global container (101) are identified by a container ID, which uniquely identifies the container in the host (101).
- In addition, each non-global container (e.g., container 1 (128), container 2 (130), container 3 (132)) includes a routing module (e.g., routing module 1 (142), routing module 2 (144), routing module 3 (146)). In one or more embodiments of the invention, the routing modules (e.g., routing module 1 (142), routing module 2 (144), routing module 3 (146)) enable the containers (e.g., container 1 (128), container 2 (130), container 3 (132)) to function as routers. In other words, the routing modules (e.g., routing module 1 (142), routing module 2 (144), routing module 3 (146)) allow containers (e.g., container 1 (128), container 2 (130), container 3 (132)) to perform routing of packets between networks (e.g., network 1 (136), network 2 (138), network 3 (139), network 4 (140)).
- In one or more embodiments of the invention, the classifier (not shown) on a NIC (e.g., NIC 1 (100), NIC 2 (102), NIC 3 (103), NIC 4 (104)) uses a set of source and/or destination address ranges to direct uncategorized packets received from a network (e.g., network 1 (136), network 2 (138), network 3 (139), network 4 (140)) to a specific receive ring on the NIC. These packets are then sent to the virtual NIC (e.g., virtual NIC 1 (106), virtual NIC 2 (108), virtual NIC 3 (110), virtual NIC 4 (112), virtual NIC 5 (114), virtual NIC 6 (116)) associated with the receive ring, passed to the virtual network stack (e.g., virtual network stack 1 (122), virtual network stack 2 (124), virtual network stack 3 (126)) connected to the virtual NIC, and sent to the container (e.g., container 1 (128), container 2 (130), container 3 (132)) governing the virtual network stack. The packets may be processed by the virtual network stacks (e.g., virtual network stack 1 (122), virtual network stack 2 (124), virtual network stack 3 (126)) and/or containers (e.g., container 1 (128), container 2 (130), container 3 (132)), then routed by the containers to another network (e.g., network 1 (136), network 2 (138), network 3 (139), network 4 (140)). In one or more embodiments of the invention, the containers (e.g., container 1 (128), container 2 (130), container 3 (132)) use characteristics of the packets and/or of the network configuration in general to route the packets.
- The container (e.g., container 1 (128), container 2 (130), container 3 (132)) may choose to implement all of the MAC and IP layer functionalities described with the virtual NICs (e.g., virtual NIC 1 (106), virtual NIC 2 (108), virtual NIC 3 (110), virtual NIC 4 (112), virtual NIC 5 (114), virtual NIC 6 (116)) or with the virtual network stacks (e.g., virtual network stack 1 (122), virtual network stack 2 (124), virtual network stack 3 (126)) on its own. On the other hand, each container (e.g., container 1 (128), container 2 (130), container 3 (132)) may choose to govern its virtual network stack (e.g., virtual network stack 1 (122); virtual network stack 2 (124), virtual network stack 3 (126)), as well as the virtual NICs (e.g., virtual NIC 1 (106), virtual NIC 2 (108), virtual NIC 3 (110), virtual NIC 4 (112), virtual NIC 5 (114), virtual NIC 6 (116)) associated with its virtual network stack, such that the virtual network stack and virtual NICs behave as expected.
- In one embodiment of the invention, the routing module (e.g., routing module 1 (142), routing module 2 (144), routing module 3 (146)) of each container (e.g., container 1 (128), container 2 (130), container 3 (132)) may include a routing table (not shown), which stores the best routes to certain network destinations, routing metrics associated with the routes, and the path to the next hop in the route. Alternatively, the routing table may be stored in the virtual network stack (e.g., virtual network stack 1 (122), virtual network stack 2 (124), virtual network stack 3 (126)) associated with the container (e.g., container 1 (128), container 2 (130), container 3 (132)) and used by the routing module (e.g., routing module 1 (142), routing module 2 (144), routing module 3 (146)) from the virtual network stack, or used by the virtual network stack itself. The routing module (e.g., routing module 1 (142), routing module 2 (144), routing module 3 (146)) uses a routing protocol, such as Router Information Protocol (RIP), Open Shortest Path First (OSPF), or Intermediate System to Intermediate System (IS-IS), to communicate with other routing containers (e.g., container 1 (128), container 2 (130), container 3 (132)) and routers. The routing table is then built by the routing module (e.g., routing module 1 (142), routing module 2 (144), routing module 3 (146)) based on the communications with other routing devices. In one or more embodiments of the invention, the routing table also includes hierarchical routing features such as Multiprotocol Label Switching (MLPS), allowing packets to be processed more quickly. In addition, protocols such as MLPS allow the creation of VPNs and traffic engineering policies within the routing module (e.g., routing module 1 (142), routing module 2 (144), routing module 3 (146)).
- Continuing with the discussion of
FIG. 1 , container 1 (128) routes between network 1 (136) and network 2 (138),container 2 routes between network 2 (138) and network 3 (139), andcontainer 3 routes between network 3 (139) and network 4 (140). Those skilled in the art will appreciate that a container (e.g., container 1 (128), container 2 (130), container 3 (132)) may route between more than two networks. For example, a single container (e.g., container 1 (128), container 2 (130), container 3 (132)) may route packets between three or more networks (e.g., network 1 (136), network 2 (138), network 3 (139), network 4 (140)) based on source and destination addresses, protocols, packet headers, etc. In addition, a container (e.g., container 1 (128), container 2 (130), container 3 (132)) may not be directly involved in the routing. Instead, the container may configure the virtual network stack (e.g., virtual network stack 1 (122), virtual network stack 2 (124), virtual network stack 3 (126)) and virtual NICs (e.g., virtual NIC 1 (1106), virtual NIC 2 (108), virtual NIC 3 (110), virtual NIC 4 (112), virtual NIC 5 (114), virtual NIC 6 (116)) to perform the routing. Packets arriving at a virtual network stack (e.g., virtual network stack 1 (122), virtual network stack 2 (124), virtual network stack 3 (126)) may never enter the container (e.g., container 1 (128), container 2 (130), container 3 (132)) attached to the virtual network stack. Instead, the container (e.g., container 1 (128), container 2 (130), container 3 (132)) relays routing policies to the virtual network stack (e.g., virtual network stack 1 (122), virtual network stack 2 (124), virtual network stack 3 (126)), virtual NICs (e.g., virtual NIC 1 (106), virtual NIC 2 (108), virtual NIC 3 (110), virtual NIC 4 (112), virtual NIC 5 (114), virtual NIC 6 (116)), and/or the NICs (e.g., NIC 1 (100), NIC 2 (102), NIC 3 (103), NIC 4 (104)), which implement the routing by processing and directing packets. - The following is an example of one or more embodiments of the invention and is not intended to limit the scope of the invention. Turning to the example, assume that a packet from network 2 (138) is received by NIC 2 (102). Based on the contents of the packet, the classifier of NIC 2 (102) may place the packet in a receive ring corresponding to virtual NIC 2 (108) or virtual NIC 3 (110). As stated above, the classifier may use criteria found in the packet, such as source address, destination address, source or destination port, protocol, etc. to place the packet in an appropriate receive ring. The packet is then sent to virtual NIC 2 (108) or virtual NIC 3 (110), depending on the receive ring in which the packet is placed. The virtual NIC (108 or 110) may then apply MAC layer processing, such as adding or removing a VLAN tag, to the packet, before sending the packet to the virtual network stack (virtual network stack 1 (122) or virtual network stack 2 (124)) connected to the virtual NIC. In one or more embodiments of the invention, the MAC layer processing applied to the packet is based on the MAC layer configuration of the virtual NIC (108 or 110). The virtual network stack (virtual network stack 1 (122) or virtual network stack 2 (124)) may also process the packet (e.g., authenticating the packet, encrypting/decrypting the packet, network address translation (NAT), etc.) before sending the packet to the container (container 1 (128) or container 2 (130)) corresponding to the virtual network stack.
- Once the packet arrives at the container (container 1 (128) or container 2 (130)), the container may process the packet further before sending the packet back to the virtual network stack (virtual network stack 1 (122) or virtual network stack 2 (124)). Based on the contents of the packet, which may have been altered on its way up to the container (container 1 (128) or container 2 (130)), the virtual network stack (virtual network stack 1 (122) or virtual network stack 2 (124)) sends the packet to a particular virtual NIC. In the case of virtual network stack 1 (122), the packet may be sent to virtual NIC 1 (106) or virtual NIC 2 (108) depending on the packet's contents, source, and destination. Similarly, virtual network stack 2 (124) may send the packet to virtual NIC 3 (110) or virtual NIC 4 (112). For example, if a packet from network 1 (136) is received by virtual NIC 1 (106) and sent up virtual network stack 1 (122), then container 1 (128) may route the packet to network 2 (138) by sending the packet back down virtual network stack 1 (122) to virtual NIC 2 (108), where the packet is relayed to NIC 2 (102) and transmitted over network 2 (138).
- Alternatively, a packet from network 2 (138) may be destined for network 3 (139) or network 1 (136). Based on the destination address in the packet, the classifier in NIC 2 (102) places the packet in the receive ring corresponding to the virtual NIC (virtual NIC 2 (108) or virtual NIC 3 (110)) that is associated with the packet's destination address. The packet is then routed to the destination network (network 1 (136) or network 3 (139)) by proceeding up the virtual network stack (virtual network stack 1 (122) or virtual network stack 2 (124)) connected to the virtual NIC (virtual NIC 2 (108) or virtual NIC 3 (110)), then back down the virtual network stack and to the other virtual NIC (virtual NIC 1 (106) or virtual NIC 4 (112)) and NIC (NIC 1 (100) or NIC 3 (103)) corresponding to the destination network.
-
FIG. 2 shows a schematic diagram of a system in accordance with one or more embodiments of the invention. Specifically,FIG. 2 shows a host (220) with two containers (e.g., container 1 (228), container 2 (230)). Container 1 (228) includes functionality to route packets between three networks (e.g., network 1 (212), network 2 (214), network 3 (216)). Each network is associated with a particular NIC (e.g., NIC 1 (200), NIC 2 (202), NIC 3 (204)), which is further associated with a virtual NIC (e.g., virtual NIC 1 (206), virtual NIC 2 (208), virtual NIC 3 (210)). The routing module (234) allows container 1 (228) to direct packets from each of the three networks (e.g., network 1 (212), network 2 (214), network 3 (216)) to another of the three networks. Alternatively, the routing module (234) may simply administers routing policies to virtual network stack 1 (222), and possibly one or more of the virtual NICs (e.g., virtual NIC 1 (206), virtual NIC 2 (208), virtual NIC 3 (210)), which implement the routing of packets from one network (e.g., network 1 (212), network 2 (214), network 3 (216)) to another. One or more of the virtual NICs (e.g., virtual NIC 1 (206), virtual NIC 2 (208), virtual NIC 3 (210)) may also implement a MAC layer configuration, such as a VLAN or VPN tunnel. - The following is an example of one or more embodiments of the invention and is not intended to limit the scope of the invention. Turning to the example, if network 1 (212) is associated with IP address 10.1.51.0, network 2 (214) is associated with the IP address of 10.1.52.0, network 3 (216) is associated with the IP address of 10.1.53.0, and the subnet mask contains a value of 255.255.255.0, then a packet from network 1 (212) with a destination address of 10.1.53.1 will be routed to network 3 (216) by container 1 (228) and/or virtual network stack 1 (222). Similarly, a packet from network 2 (214) with a destination IP address of 10.1.51.3 will be routed to network 1 (212).
- In contrast, container 2 (230) does not perform routing on incoming or outgoing packets because container 2 (230) is connected to virtual network stack 2 (224), which is only connected to virtual NIC 4 (211) and NIC 4 (205), container 2 (230) is only accessible by one network (i.e., network 4 (217)). As a result, while container 2 (230) may process packets and provide services, such as email or database lookup, container 2 (230) does not function as a router. In addition, container 1 (228) and container 2 (230) operate independently from one another. Accordingly, container 1 (228) does not receive the same traffic as container 2 (230), perform the same functions as container 2 (230), or even acknowledge the existence of container 2 (230). Consequently, containers (e.g., container 1 (228), container 2 (230)) on the host (220) provide separate paths for different types of network traffic, ensure that the traffic is routed correctly and ensure that the data paths do not overlap. In addition, a host (220) may include one or more routing containers (e.g., container 1 (228)) and one or more non-routing containers (e.g., container 2 (230)), as needed, such that all network traffic received by the host is processed and routed appropriately and independently.
-
FIG. 3 shows a schematic diagram of a system in accordance with one or more embodiments of the invention. The system ofFIG. 3 shows another host (330) with two routing containers (i.e., container 1 (342), container 2 (344)). Container 1 (342) is associated with virtual network stack 1 (332), as well as three virtual NICs (virtual NIC 1 (306), virtual NIC 2 (308), virtual NIC 4 (312)). Virtual NIC 1 (306) is connected to NIC 1 (300), which is in turn connected to network 1 (336). Virtual NIC 2 (308) is associated with to NIC 2 (302), which is linked to network 2 (338). As a result, container 1 (342) may route packets between network 1 (336) and network 2 (338). Container 2 (344) is connected to virtual network stack 2 (334) and two virtual NICs (e.g., virtual NIC 3 (310), virtual NIC 5 (314)).Virtual NIC 3 leads to NIC 3 (304) and network 3 (340). - In addition, container 1 (342) and container 2 (344) are linked through a virtual switch (350) via virtual NIC 4 (312) and virtual NIC 5 (314). In one or more embodiments of the invention, the virtual switch (350) functions as a software equivalent of a network switch. In other words, the virtual switch (350) performs transparent bridging of network segments (i.e., virtual network stacks) within the host (330). For example, virtual network stack 1 (332) may transmit packets to and receive packets from virtual network stack 2 (334) by using the virtual switch (350) and related virtual NICs (e.g., virtual NIC 4 (312), virtual NIC 5 (314)). In one or more embodiments of the invention, all virtual network stacks (e.g., virtual network stack 1 (332), virtual network stack 2 (334)) connected to a virtual switch (350) are registered in the virtual switch's address table (not shown). The virtual switch (350) routes packets to their destinations using the address table. When a packet is received by the virtual switch (350), the destination address is checked against the entries in the address table. If a match is found, the packet is forwarded directly to the virtual NIC (e.g., virtual NIC 1 (306), virtual NIC 2 (308), virtual NIC 3 (310)) associated with the match, which then forwards the packet to the corresponding virtual network stack (e.g., virtual network stack 1 (332), virtual network stack 2 (334)) or to the network (e.g., network 1 (336), network 2 (338), network 3 (340)). If a match is not found, the packet is dropped. In one embodiment of the invention, the virtual switch corresponds to the virtual switch disclosed in the co-pending patent application entitled “Virtual Switch” (application Ser. No. 11/480,261) and assigned to assignee of the present application. The aforementioned patent application is hereby incorporated by reference.
- In one or more embodiments of the invention, a routing container (e.g., container 1 (342), container 2 (344)) may route packets between the networks (e.g., network 1 (336), network 2 (338), network 3 (340)) the container is directly connected to, as well as other networks indirectly linked to the container using a virtual switch (350). In one or more embodiments of the invention, connecting the two containers (i.e., container 1 (342) and container 2 (344)) using the virtual switch (350) creates an internal virtual network. Accordingly, container 2 (344) may route packets between the internal virtual network and network 3 (340). Container 1 (342) may route packets between network 1 (336) and network 2 (338), as well as between network 1 (336) and the internal virtual network or between network 2 (338) and the internal virtual network. Further, packets sent to network 1 (336) or network 2 (338) from network 3 (340) may be transmitted to the internal virtual network from network 3 (340), where the packets are routed to virtual network stack 1 (332) and onto the destination network (e.g., network 1 (336), network 2 (338)). Similarly, packets sent from network 1 (336) or network 2 (338) to network 3 (340) may be sent to the internal virtual network and then routed by the virtual switch (350) to virtual network stack 2 (334) and further to network 3 (340).
- The following is an example of one or more embodiments of the invention and is not intended to limit the scope of the invention. Turing to the example, if a packet from network 1 (336) bound for network 3 (340) arrives at NIC 1 (300), the packet is transferred to virtual NIC 1 (306). Upon arrival at virtual NIC 1 (306), virtual NIC 1 (306) applies MAC layer processing based on the MAC layer configuration of virtual NIC 1 (306), as required, to the packet and then sends the packet to virtual network stack 1 (332). If the routing is implemented in virtual network stack 1 (332), the packet is sent to virtual NIC 4 (312), which transfers the packet to the virtual switch (350). Alternatively, if routing is implemented in container 1 (342), the packet is sent to container 1 (342) for any additional processing, then returned to virtual network stack 1 (332), which subsequently sends the packet to virtual NIC 4 (312). Virtual NIC 4 (312) subsequently sends the packet to virtual switch (350). Upon receipt of the packet, the virtual switch (350) sends the packet to virtual NIC 5 (314) by matching the address in the packet header with an entry in its address table. Virtual NIC 5 (314) then sends the packet to virtual network stack 2 (334) and/or container 2 (342), possibly for further processing, before container 2 (342) and/or virtual network stack 2 (344) sends the packet down to virtual NIC 3 (310) to network 3 (340).
- In one or more embodiments of the invention, the system of
FIG. 3 serves to separate an internal network and an external network. The following is an example in accordance with one or more embodiments of the invention and is not intended to limit the scope of the invention. Turing to the example assume that network 3 (340) is an external network and network 1 (336) and network 2 (338) are two sub-networks of an internal network. In order to separate traffic between the external network and internal networks, container 1 (342) is used for the internal networks and container 2 (344) is used for the external networks. Traffic from the external network to the internal networks must be permitted through virtual network stack 2 (334) in order to reach the virtual switch (350) and the other virtual NICs (308, 310). Similarly, traffic from the internal networks must be directed by virtual network stack 1 (332) to the virtual switch (350) before the traffic reaches the external network (e.g., network 3 (340)). -
FIG. 4 shows a routing module in accordance with one or more embodiments of the invention. As shown inFIG. 4 , the routing module (400) includes a routing protocol (405), a routing table (410), a security protocol (415), an address resolution utility (420), and an address translation utility (425). In one or more embodiments of the invention, each of these components may be implemented within a container, or by the virtual network stack and/or virtual NIC associated with the container. Further, each routing module (400) may include all of or only a subset of the components shown inFIG. 4 . The aforementioned components are described in detail below. - In one embodiment of the invention, the routing table (410) is used to direct outgoing packets by matching destination addresses of the packets to the network paths used to reach them. In one or more embodiments of the invention, the routing table (410) lists the next hop to a destination. As mentioned previously, the routing table (410) may also implement a hierarchical routing architecture, such as MPLS, such that a single table entry can effectively select the next several hops and reduce table lookups, or so that a VPN may be implemented.
- In one or more embodiments of the invention, a routing table (410) is created using the routing protocol (405). The routing protocol (405) determines the next hop in the network path using a shortest path algorithm, such as Dijkstra's algorithm, and fills in the routing table (410) with the next hop for any given destination address. Routing protocols include, but are not limited to, Open Shortest Path First (OSPF), Routing Information Protocol (RIP), and Intermediate System to Intermediate System (IS-IS). Different routing protocols (405) may used based on the type of network the packets are transmitted over. In addition, each routing protocol may use routing metrics, such as bandwidth, delay, hop count, path cost, load, Maximum Transmission Unit (MTU), reliability, and communication costs, to determine along which route to send packets.
- In one embodiment of the invention, the security protocol (415) secures network data by providing encryption and/or authentication of packets. In addition, the security protocol (415) may be used to create a VPN. An example of a security protocol (415) is IPsec. IPsec provides secure packet flows by the use of authentication headers (AH) in packets, as well as cryptographic protocols for data confidentiality in its encapsulating security payload (ESP). Other security protocols (415) include Secure Sockets Layer (SSL) and Transport Layer Security (TLS).
- In one embodiment of the invention, an address resolution utility (420) is used by the routing module (400) to determine a host's hardware address from a network address, or vice versa. Examples of address resolution utilities include Address Resolution Protocol (ARP) and Inverse ARP. For example, the address resolution utility (420) may be used if one host sends a packet to another host, and knows the IP address but not the MAC address of the other host. In such cases, an ARP request is broadcast by the first host and received by the second host, which replies with the missing information. The address resolution utility (420) may also be used if the MAC address of the other host is known, but not the IP address.
- In one embodiment of the invention, the address translation utility (425) rewrites the source and/or destination addresses of packets as they pass through the routing module (400) or the virtual network stack implementing the address translation. In one or more embodiments of the invention, address translation allows multiple hosts on a private network to access other networks, such as the Internet, using a single IP address. For example, if the routing module (400) is responsible for routing traffic between two networks, outgoing packets from the first network may have their source IP addresses rewritten to a specific value by the address translation utility (425) before being sent to the second network. The address translation utility (425) may also provide a firewall for a network by preventing hosts outside the network from reaching devices within the network.
-
FIG. 5 shows a flow diagram of a system setup in accordance with one or more embodiments of the invention. First, the network requirements are determined (Step 501). The network requirements may include network services (e.g., web, email, database, file transfer, etc.), routing capabilities between multiple networks, firewalls, VPNs, VLANs, etc. Next, a container is created to handle a network requirement (Step 503). In one or more embodiments of the invention, multiple network requirements may be satisfied with one container, or more containers. For example, a single container may include functionality to route packets and serve as a firewall. Alternatively, multiple containers may be required to implement a demilitarized zone (DMZ). - Once the container(s) is created, a virtual network stack is created for the container (Step 505) and connected to the container (Step 507). As stated above, the virtual network stack is responsible for handling and processing packets at the transport and network layers. Next, the routing module for the container is configured (Step 509). Configuring the routing module may include specifying the routing protocol, creating the routing table from the routing protocol, setting up a security protocol, enabling address resolution and translation, etc. The steps of configuring the routing module may be performed by an administrator, or may be automatically completed by processes running on the host. Those skilled in the art will appreciate that basic routing configuration steps may be automated, with customization steps performed manually by an administrator if needed.
- A virtual NIC corresponding to a NIC is then created (Step 511). In one or more embodiments of the invention, each receive ring on the NIC corresponds to a virtual network, such as a VLAN. The virtual NIC is then associated with one or more of the receive rings on the NIC. As a result, packets from that VLAN are separated at the NIC level and remain separated, while in the host, from packets from other VLANs connected to the NIC. Alternatively, each receive ring on the NIC is simply associated with a set of addresses (e.g., IP addresses, MAC addresses, etc.). Consequently, a virtual NIC connected to a specific receive ring may only receive packets for the set of addresses associated with the receive ring. Packets sent from the virtual NIC to the NIC are correspondingly placed in one or more transmits rings within the NIC.
- Once the virtual NIC is created, the container is connected to the virtual NIC (Step 513). The NIC is then configured to handle network traffic for the container (Step 515). For example, the classifier on the NIC is programmed to place packets with certain characteristics, such as source address, destination address, protocol, etc. in the receive ring associated with the virtual NIC.
- When the container is connected to the network through the virtual network stack, virtual NIC, and NIC, a determination is made about whether additional connections are needed (Step 517).
- Once all components related to one container are created, a determination is made about whether all network requirements are handled (Step 519). If so, the setup is complete. If not, (Steps 503-519) are repeated until all network requirements are fulfilled.
-
FIG. 6 shows a flow diagram of packet routing in accordance with one or more embodiments of the invention. Initially, the packet is received in a NIC (Step 601). The packet is then classified (Step 603) by the classifier on the NIC and placed in the appropriate receive ring (Step 605) of the NIC. As described above, the classifier may use one or more fields in the packet header, or even the packet contents, to classify the packet. In one or more embodiments of the invention, if the packet cannot be classified into a specific receive ring, the classifier places the packet into a default receive ring on the NIC, which is connected to a routing container. The routing container is then able to direct the packet in the appropriate direction upon receiving the packet. - From the receive ring, the packet is sent to the virtual NIC (Step 607) connected to the receive ring. The virtual NIC may then apply MAC layer processing to the packet (Step 609) if necessary. As mentioned above, the MAC layer processing may be based on the MAC layer configuration of the virtual NIC. MAC layer configurations may include VPN tunnel functionalities, VLAN tags, etc. The packet is then sent to the container (Step 611), where the packet is processed (Step 613). As mentioned previously, the packet may alternatively be processed by the virtual network stack associated with the container, if routing capabilities are implemented in the virtual network stack and configured by the container.
- Once in the container or virtual network stack, the packet may be processed by applying network address translation (NAT), encryption/decryption, authentication, etc. In addition, the source and destination addresses of the packet are examined to determine if the packet needs to be routed further (Step 615). For example, if the packet is destined for the container, the packet does not need to be routed further.
- However, if the container functions as a router for the packet, the packet will need to be configured for routing (Step 617) by making address changes, adding and removing headers, such as in MPLS, and/or applying any cryptographic or authentication algorithms to the packet contents. The packet is then sent through the virtual network stack to the appropriate virtual NIC (Step 619), where the packet is relayed to its destination (Step 621). As stated above, each virtual NIC corresponds to a particular network connected to the NIC. Sending the packet to a virtual NIC ensures that the packet will be sent out on the network associated with the virtual NIC. In addition, the packet may be sent from the virtual NIC through a virtual switch to another virtual NIC, where the packet is sent out on another network. The first virtual NIC and virtual switch correctly send the packet to the second virtual NIC based on the contents of the packet and the address table of the virtual switch.
- The invention may be implemented on virtually any type of computer regardless of the platform being used. For example, as shown in
FIG. 7 , a computer system (700) includes a processor (702), associated memory (704), a storage device (706), and numerous other elements and functionalities typical of today's computers (not shown). The computer (700) may also include input means, such as a keyboard (708) and a mouse (710), and output means, such as a monitor (712). The computer system (700) is connected to a local area network (LAN) or a wide area network (e.g., the Internet) (not shown) via a network interface connection (not shown). Those skilled in the art will appreciate that these input and output means may take other forms. - Further, those skilled in the art will appreciate that one or more elements of the aforementioned computer system (700) may be located at a remote location and connected to the other elements over a network. Further, the invention may be implemented on a distributed system having a plurality of nodes, where each portion of the invention (e.g., virtual NIC, virtual network stack, container, etc.) may be located on a different node within the distributed system. In one embodiment of the invention, the node corresponds to a computer system. Alternatively, the node may correspond to a processor with associated physical memory. The node may alternatively correspond to a processor with shared memory and/or resources. Further, software instructions to perform embodiments of the invention may be stored on a computer readable medium such as a compact disc (CD), a diskette, a tape, a file, or any other computer readable storage device.
- While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of this disclosure, will appreciate that other embodiments can be devised which do not depart from the scope of the invention as disclosed herein. Accordingly, the scope of the invention should be limited only by the attached claims.
Claims (20)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/642,756 US7738457B2 (en) | 2006-12-20 | 2006-12-20 | Method and system for virtual routing using containers |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/642,756 US7738457B2 (en) | 2006-12-20 | 2006-12-20 | Method and system for virtual routing using containers |
Publications (2)
Publication Number | Publication Date |
---|---|
US20080151893A1 true US20080151893A1 (en) | 2008-06-26 |
US7738457B2 US7738457B2 (en) | 2010-06-15 |
Family
ID=39542700
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/642,756 Active 2028-01-23 US7738457B2 (en) | 2006-12-20 | 2006-12-20 | Method and system for virtual routing using containers |
Country Status (1)
Country | Link |
---|---|
US (1) | US7738457B2 (en) |
Cited By (133)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070171904A1 (en) * | 2006-01-24 | 2007-07-26 | Intel Corporation | Traffic separation in a multi-stack computing platform using VLANs |
US20070189308A1 (en) * | 2006-02-16 | 2007-08-16 | Izoslav Tchigevsky | Virtual machine networking using wireless bridge emulation |
US20080195781A1 (en) * | 2007-02-14 | 2008-08-14 | Samsung Electronics Co., Ltd. | Method and apparatus for data processing in mobile communication system |
US20090238167A1 (en) * | 2008-03-20 | 2009-09-24 | Genedics, Llp | Redundant Data Forwarding Storage |
US20100011086A1 (en) * | 2008-07-10 | 2010-01-14 | Gene Fein | Media delivery in data forwarding storage network |
US20100135226A1 (en) * | 2008-10-10 | 2010-06-03 | Rajarathnam Chandramouli | Method and apparatus for dynamic spectrum access |
US20100269167A1 (en) * | 2008-01-09 | 2010-10-21 | Fujitsu Limited | Virtual machine execution program and information processing device |
US20100333189A1 (en) * | 2009-06-30 | 2010-12-30 | Sun Microsystems, Inc. | Method and system for enforcing security policies on network traffic |
US20110090853A1 (en) * | 2008-10-10 | 2011-04-21 | Rajarathnam Chandramouli | Method and apparatus for dynamic spectrum access |
US20110090910A1 (en) * | 2009-10-16 | 2011-04-21 | Sun Microsystems, Inc. | Enhanced virtual switch |
US20110125721A1 (en) * | 2008-05-07 | 2011-05-26 | Tajitshu Transfer Limited Liability Company | Deletion in data file forwarding framework |
US20110167127A1 (en) * | 2008-09-29 | 2011-07-07 | Tajitshu Transfer Limited Liability Company | Measurement in data forwarding storage |
US20110167131A1 (en) * | 2008-04-25 | 2011-07-07 | Tajitshu Transfer Limited Liability Company | Real-time communications over data forwarding framework |
US20110173290A1 (en) * | 2008-09-29 | 2011-07-14 | Tajitshu Transfer Limited Liability Company | Rotating encryption in data forwarding storage |
US20110170547A1 (en) * | 2008-09-29 | 2011-07-14 | Tajitshu Transfer Limited Liability Company | Geolocation assisted data forwarding storage |
US20110202685A1 (en) * | 2010-02-16 | 2011-08-18 | Narayanan Subramaniam | System and Method for Communication Between an Information Handling System and Management Controller Through a Shared LOM |
CN102801695A (en) * | 2011-05-27 | 2012-11-28 | 华耀(中国)科技有限公司 | Communication equipment for virtual private network and data packet transmission method for communication equipment |
US8356078B2 (en) | 2008-08-01 | 2013-01-15 | Tajitshu Transfer Limited Liability Company | Multi-homed data forwarding storage |
US8370446B2 (en) | 2008-07-10 | 2013-02-05 | Tajitshu Transfer Limited Liability Company | Advertisement forwarding storage and retrieval network |
US20130142048A1 (en) * | 2011-08-17 | 2013-06-06 | Nicira, Inc. | Flow templating in logical l3 routing |
US8478823B2 (en) | 2008-09-29 | 2013-07-02 | Tajitshu Transfer Limited Liability Company | Selective data forwarding storage |
US20130205042A1 (en) * | 2008-03-31 | 2013-08-08 | Amazon Technologies, Inc. | Authorizing communications between computing nodes |
US20130230048A1 (en) * | 2012-03-02 | 2013-09-05 | Nec (China) Co., Ltd. | Server interconnection system, server, and data forwarding method |
US8599678B2 (en) | 2008-07-10 | 2013-12-03 | Tajitshu Transfer Limited Liability Company | Media delivery in data forwarding storage network |
US20140317261A1 (en) * | 2013-04-22 | 2014-10-23 | Cisco Technology, Inc. | Defining interdependent virtualized network functions for service level orchestration |
US9203928B2 (en) | 2008-03-20 | 2015-12-01 | Callahan Cellular L.L.C. | Data storage and retrieval |
US20150350057A1 (en) * | 2014-06-03 | 2015-12-03 | National Cheng Kung University | Switchless network topology system for parallel computation and method thereof |
US9225597B2 (en) | 2014-03-14 | 2015-12-29 | Nicira, Inc. | Managed gateways peering with external router to attract ingress packets |
US9413644B2 (en) | 2014-03-27 | 2016-08-09 | Nicira, Inc. | Ingress ECMP in virtual distributed routing environment |
US9503371B2 (en) | 2013-09-04 | 2016-11-22 | Nicira, Inc. | High availability L3 gateways for logical networks |
US9524399B1 (en) * | 2013-04-01 | 2016-12-20 | Secturion Systems, Inc. | Multi-level independent security architecture |
US9531676B2 (en) | 2013-08-26 | 2016-12-27 | Nicira, Inc. | Proxy methods for suppressing broadcast traffic in a network |
US9577927B2 (en) | 2014-06-30 | 2017-02-21 | Nicira, Inc. | Encoding control plane information in transport protocol source port field and applications thereof in network virtualization |
US9575782B2 (en) | 2013-10-13 | 2017-02-21 | Nicira, Inc. | ARP for logical router |
US9577845B2 (en) | 2013-09-04 | 2017-02-21 | Nicira, Inc. | Multiple active L3 gateways for logical networks |
US9590901B2 (en) | 2014-03-14 | 2017-03-07 | Nicira, Inc. | Route advertisement by managed gateways |
US9602404B2 (en) | 2011-08-17 | 2017-03-21 | Nicira, Inc. | Last-hop processing for reverse direction packets |
US9647883B2 (en) | 2014-03-21 | 2017-05-09 | Nicria, Inc. | Multiple levels of logical routers |
US9667528B2 (en) | 2014-03-31 | 2017-05-30 | Vmware, Inc. | Fast lookup and update of current hop limit |
US9697030B2 (en) | 2011-11-15 | 2017-07-04 | Nicira, Inc. | Connection identifier assignment and source network address translation |
US9729679B2 (en) | 2014-03-31 | 2017-08-08 | Nicira, Inc. | Using different TCP/IP stacks for different tenants on a multi-tenant host |
US9768980B2 (en) | 2014-09-30 | 2017-09-19 | Nicira, Inc. | Virtual distributed bridging |
WO2017160605A1 (en) * | 2016-03-17 | 2017-09-21 | Microsoft Technology Licensing, Llc | Network virtualization of containers in computing systems |
US9798899B1 (en) | 2013-03-29 | 2017-10-24 | Secturion Systems, Inc. | Replaceable or removable physical interface input/output module |
US9832112B2 (en) | 2014-03-31 | 2017-11-28 | Nicira, Inc. | Using different TCP/IP stacks for different hypervisor services |
US9858442B1 (en) | 2013-03-29 | 2018-01-02 | Secturion Systems, Inc. | Multi-tenancy architecture |
US9887960B2 (en) | 2013-08-14 | 2018-02-06 | Nicira, Inc. | Providing services for logical networks |
US9893988B2 (en) | 2014-03-27 | 2018-02-13 | Nicira, Inc. | Address resolution using multiple designated instances of a logical router |
WO2018036452A1 (en) * | 2016-08-25 | 2018-03-01 | Huawei Technologies Co., Ltd. | Device and method for managing a communication interface of a communication device |
WO2018045921A1 (en) * | 2016-09-09 | 2018-03-15 | Huawei Technologies Co., Ltd. | Device virtualization for containers |
US9940180B2 (en) | 2014-03-31 | 2018-04-10 | Nicira, Inc. | Using loopback interfaces of multiple TCP/IP stacks for communication between processes |
US9952885B2 (en) | 2013-08-14 | 2018-04-24 | Nicira, Inc. | Generation of configuration files for a DHCP module executing within a virtualized container |
US20180115514A1 (en) * | 2016-10-24 | 2018-04-26 | Nubeva, Inc. | Providing Scalable Cloud-Based Security Services |
US20180159716A1 (en) * | 2015-05-11 | 2018-06-07 | Nec Corporation | Communication apparatus, system, method, and non-transitory medium |
US20180165156A1 (en) * | 2015-05-11 | 2018-06-14 | Nec Corporation | Communication apparatus, system, method, and non-transitory medium |
US10013580B2 (en) | 2013-03-29 | 2018-07-03 | Secturion Systems, Inc. | Security device with programmable systolic-matrix cryptographic module and programmable input/output interface |
US10020960B2 (en) | 2014-09-30 | 2018-07-10 | Nicira, Inc. | Virtual distributed bridging |
US10038628B2 (en) | 2015-04-04 | 2018-07-31 | Nicira, Inc. | Route server mode for dynamic routing between logical and physical networks |
US10057157B2 (en) | 2015-08-31 | 2018-08-21 | Nicira, Inc. | Automatically advertising NAT routes between logical routers |
US10063458B2 (en) | 2013-10-13 | 2018-08-28 | Nicira, Inc. | Asymmetric connection with external networks |
US10079779B2 (en) | 2015-01-30 | 2018-09-18 | Nicira, Inc. | Implementing logical router uplinks |
US10091125B2 (en) | 2014-03-31 | 2018-10-02 | Nicira, Inc. | Using different TCP/IP stacks with separately allocated resources |
US10091161B2 (en) | 2016-04-30 | 2018-10-02 | Nicira, Inc. | Assignment of router ID for logical routers |
US10095535B2 (en) | 2015-10-31 | 2018-10-09 | Nicira, Inc. | Static route types for logical routers |
US10110431B2 (en) | 2014-03-14 | 2018-10-23 | Nicira, Inc. | Logical router processing by network controller |
US10129142B2 (en) | 2015-08-11 | 2018-11-13 | Nicira, Inc. | Route configuration for logical router |
US10153973B2 (en) | 2016-06-29 | 2018-12-11 | Nicira, Inc. | Installation of routing tables for logical router in route server mode |
EP3429144A1 (en) * | 2015-11-17 | 2019-01-16 | Juniper Networks, Inc. | Network device data plane sandboxes for third-party controlled packet forwarding paths |
US10212071B2 (en) | 2016-12-21 | 2019-02-19 | Nicira, Inc. | Bypassing a load balancer in a return path of network traffic |
US10225184B2 (en) | 2015-06-30 | 2019-03-05 | Nicira, Inc. | Redirecting traffic in a virtual distributed router environment |
US10237123B2 (en) | 2016-12-21 | 2019-03-19 | Nicira, Inc. | Dynamic recovery from a split-brain failure in edge nodes |
US10250443B2 (en) | 2014-09-30 | 2019-04-02 | Nicira, Inc. | Using physical location to modify behavior of a distributed virtual network element |
US10333849B2 (en) | 2016-04-28 | 2019-06-25 | Nicira, Inc. | Automatic configuration of logical routers on edge nodes |
US10341236B2 (en) | 2016-09-30 | 2019-07-02 | Nicira, Inc. | Anycast edge service gateways |
US10374827B2 (en) | 2017-11-14 | 2019-08-06 | Nicira, Inc. | Identifier that maps to different networks at different datacenters |
US10454758B2 (en) | 2016-08-31 | 2019-10-22 | Nicira, Inc. | Edge node cluster network redundancy and fast convergence using an underlay anycast VTEP IP |
US10484515B2 (en) | 2016-04-29 | 2019-11-19 | Nicira, Inc. | Implementing logical metadata proxy servers in logical networks |
US10511459B2 (en) | 2017-11-14 | 2019-12-17 | Nicira, Inc. | Selection of managed forwarding element for bridge spanning multiple datacenters |
US10511458B2 (en) | 2014-09-30 | 2019-12-17 | Nicira, Inc. | Virtual distributed bridging |
US10536375B2 (en) * | 2018-01-12 | 2020-01-14 | Juniper Networks, Inc. | Individual network device forwarding plane reset |
US10560320B2 (en) | 2016-06-29 | 2020-02-11 | Nicira, Inc. | Ranking of gateways in cluster |
CN110875844A (en) * | 2018-08-30 | 2020-03-10 | 丛林网络公司 | Multiple virtual network interface support for virtual execution elements |
US10616045B2 (en) | 2016-12-22 | 2020-04-07 | Nicira, Inc. | Migration of centralized routing components of logical router |
US10708236B2 (en) | 2015-10-26 | 2020-07-07 | Secturion Systems, Inc. | Multi-independent level secure (MILS) storage encryption |
US10742746B2 (en) | 2016-12-21 | 2020-08-11 | Nicira, Inc. | Bypassing a load balancer in a return path of network traffic |
US10797998B2 (en) | 2018-12-05 | 2020-10-06 | Vmware, Inc. | Route server for distributed routers using hierarchical routing protocol |
US10841226B2 (en) | 2019-03-29 | 2020-11-17 | Juniper Networks, Inc. | Configuring service load balancers with specified backend virtual networks |
US10841273B2 (en) | 2016-04-29 | 2020-11-17 | Nicira, Inc. | Implementing logical DHCP servers in logical networks |
US10855531B2 (en) | 2018-08-30 | 2020-12-01 | Juniper Networks, Inc. | Multiple networks for virtual execution elements |
US10931560B2 (en) | 2018-11-23 | 2021-02-23 | Vmware, Inc. | Using route type to determine routing protocol behavior |
US10938788B2 (en) | 2018-12-12 | 2021-03-02 | Vmware, Inc. | Static routes for policy-based VPN |
US10938619B2 (en) * | 2016-08-30 | 2021-03-02 | ColorTokens, Inc. | Allocation of virtual interfaces to containers |
US10979339B2 (en) | 2018-01-12 | 2021-04-13 | Juniper Networks, Inc. | Node representations of packet forwarding path elements |
EP3590047A4 (en) * | 2017-02-28 | 2021-04-14 | Arista Networks, Inc. | System and method of network operating system containers |
US11063914B1 (en) | 2013-03-29 | 2021-07-13 | Secturion Systems, Inc. | Secure end-to-end communication system |
US11095480B2 (en) | 2019-08-30 | 2021-08-17 | Vmware, Inc. | Traffic optimization using distributed edge services |
US11134093B1 (en) | 2017-11-27 | 2021-09-28 | Lacework Inc. | Extended user session tracking |
US11159366B1 (en) * | 2018-09-28 | 2021-10-26 | Juniper Networks, Inc. | Service chaining for virtual execution elements |
US11184191B1 (en) * | 2019-09-12 | 2021-11-23 | Trend Micro Incorporated | Inspection of network traffic on accelerated platforms |
US11188571B1 (en) | 2019-12-23 | 2021-11-30 | Lacework Inc. | Pod communication graph |
US11201955B1 (en) * | 2019-12-23 | 2021-12-14 | Lacework Inc. | Agent networking in a containerized environment |
US20210389967A1 (en) * | 2018-09-25 | 2021-12-16 | Microsoft Technology Licensing, Llc | Multi-tenant support on virtual machines in cloud computing networks |
WO2021254079A1 (en) * | 2020-06-19 | 2021-12-23 | 华为技术有限公司 | Method for issuing route in campus network, and network device |
US11256759B1 (en) | 2019-12-23 | 2022-02-22 | Lacework Inc. | Hierarchical graph analysis |
US11283774B2 (en) | 2015-09-17 | 2022-03-22 | Secturion Systems, Inc. | Cloud storage using encryption gateway with certificate authority identification |
US11297106B2 (en) * | 2019-07-08 | 2022-04-05 | Secnap Network Security Corp. | Pre-routing intrusion protection for cloud based virtual computing environments |
US20220124077A1 (en) * | 2018-08-15 | 2022-04-21 | Juniper Networks, Inc. | Secure forwarding of tenant workloads in virtual networks |
US11316822B1 (en) | 2018-09-28 | 2022-04-26 | Juniper Networks, Inc. | Allocating external IP addresses from isolated pools |
CN114629844A (en) * | 2022-02-28 | 2022-06-14 | 浙江大华技术股份有限公司 | Message forwarding method and device and electronic equipment |
US20220210113A1 (en) * | 2020-12-31 | 2022-06-30 | Juniper Networks, Inc. | Dynamically learning media access control and internet protocol addresses |
US11451413B2 (en) | 2020-07-28 | 2022-09-20 | Vmware, Inc. | Method for advertising availability of distributed gateway service and machines at host computer |
WO2022201544A1 (en) * | 2021-03-26 | 2022-09-29 | 日本電気株式会社 | Infrastructure system and communication method |
US11496437B2 (en) | 2020-04-06 | 2022-11-08 | Vmware, Inc. | Selective ARP proxy |
US11593140B2 (en) | 2019-06-28 | 2023-02-28 | Hewlett Packard Enterprise Development Lp | Smart network interface card for smart I/O |
US11606294B2 (en) | 2020-07-16 | 2023-03-14 | Vmware, Inc. | Host computer configured to facilitate distributed SNAT service |
US11611613B2 (en) | 2020-07-24 | 2023-03-21 | Vmware, Inc. | Policy-based forwarding to a load balancer of a load balancing cluster |
US11616755B2 (en) | 2020-07-16 | 2023-03-28 | Vmware, Inc. | Facilitating distributed SNAT service |
US11669468B2 (en) | 2019-06-28 | 2023-06-06 | Hewlett Packard Enterprise Development Lp | Interconnect module for smart I/O |
US11741238B2 (en) | 2017-11-27 | 2023-08-29 | Lacework, Inc. | Dynamically generating monitoring tools for software applications |
US11765249B2 (en) | 2017-11-27 | 2023-09-19 | Lacework, Inc. | Facilitating developer efficiency and application quality |
US11770398B1 (en) | 2017-11-27 | 2023-09-26 | Lacework, Inc. | Guided anomaly detection framework |
US11785104B2 (en) | 2017-11-27 | 2023-10-10 | Lacework, Inc. | Learning from similar cloud deployments |
US11792284B1 (en) | 2017-11-27 | 2023-10-17 | Lacework, Inc. | Using data transformations for monitoring a cloud compute environment |
US11805101B2 (en) | 2021-04-06 | 2023-10-31 | Vmware, Inc. | Secured suppression of address discovery messages |
US11818156B1 (en) | 2017-11-27 | 2023-11-14 | Lacework, Inc. | Data lake-enabled security platform |
US11843575B2 (en) * | 2017-01-13 | 2023-12-12 | Citrix Systems, Inc. | Systems and methods to run user space network stack inside docker container while bypassing container linux network stack |
US11849000B2 (en) | 2017-11-27 | 2023-12-19 | Lacework, Inc. | Using real-time monitoring to inform static analysis |
US11895135B2 (en) | 2017-11-27 | 2024-02-06 | Lacework, Inc. | Detecting anomalous behavior of a device |
US11894984B2 (en) | 2017-11-27 | 2024-02-06 | Lacework, Inc. | Configuring cloud deployments based on learnings obtained by monitoring other cloud deployments |
US11902050B2 (en) | 2020-07-28 | 2024-02-13 | VMware LLC | Method for providing distributed gateway service at host computer |
US11909752B1 (en) | 2017-11-27 | 2024-02-20 | Lacework, Inc. | Detecting deviations from typical user behavior |
US11916947B2 (en) | 2017-11-27 | 2024-02-27 | Lacework, Inc. | Generating user-specific polygraphs for network activity |
US11954130B1 (en) | 2021-11-19 | 2024-04-09 | Lacework Inc. | Alerting based on pod communication-based logical graph |
Families Citing this family (79)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8254381B2 (en) * | 2008-01-28 | 2012-08-28 | Microsoft Corporation | Message processing engine with a virtual network interface |
CN101562553A (en) * | 2008-04-18 | 2009-10-21 | 鸿富锦精密工业(深圳)有限公司 | Bridge set and network bridging method thereof |
US8031731B2 (en) * | 2008-06-09 | 2011-10-04 | Oracle America, Inc. | System for sharing a network port of a network interface including a link for connection to another shared network interface |
JP5272709B2 (en) * | 2008-12-19 | 2013-08-28 | 富士通株式会社 | Address assignment method, computer, physical machine, program, and system |
US8054832B1 (en) * | 2008-12-30 | 2011-11-08 | Juniper Networks, Inc. | Methods and apparatus for routing between virtual resources based on a routing location policy |
US8255496B2 (en) | 2008-12-30 | 2012-08-28 | Juniper Networks, Inc. | Method and apparatus for determining a network topology during network provisioning |
US8190769B1 (en) | 2008-12-30 | 2012-05-29 | Juniper Networks, Inc. | Methods and apparatus for provisioning at a network device in response to a virtual resource migration notification |
US8331362B2 (en) * | 2008-12-30 | 2012-12-11 | Juniper Networks, Inc. | Methods and apparatus for distributed dynamic network provisioning |
US8565118B2 (en) * | 2008-12-30 | 2013-10-22 | Juniper Networks, Inc. | Methods and apparatus for distributed dynamic network provisioning |
US8659639B2 (en) | 2009-05-29 | 2014-02-25 | Cisco Technology, Inc. | System and method for extending communications between participants in a conferencing environment |
USRE48951E1 (en) | 2015-08-05 | 2022-03-01 | Ecolab Usa Inc. | Hand hygiene compliance monitoring |
US9082297B2 (en) | 2009-08-11 | 2015-07-14 | Cisco Technology, Inc. | System and method for verifying parameters in an audiovisual environment |
US8953603B2 (en) | 2009-10-28 | 2015-02-10 | Juniper Networks, Inc. | Methods and apparatus related to a distributed switch fabric |
US8442048B2 (en) | 2009-11-04 | 2013-05-14 | Juniper Networks, Inc. | Methods and apparatus for configuring a virtual network switch |
US9225916B2 (en) | 2010-03-18 | 2015-12-29 | Cisco Technology, Inc. | System and method for enhancing video images in a conferencing environment |
US9313452B2 (en) | 2010-05-17 | 2016-04-12 | Cisco Technology, Inc. | System and method for providing retracting optics in a video conferencing environment |
US20120092439A1 (en) * | 2010-10-19 | 2012-04-19 | Cisco Technology, Inc. | System and method for providing connectivity in a network environment |
US8599865B2 (en) | 2010-10-26 | 2013-12-03 | Cisco Technology, Inc. | System and method for provisioning flows in a mobile network environment |
US9111138B2 (en) | 2010-11-30 | 2015-08-18 | Cisco Technology, Inc. | System and method for gesture interface control |
US8891406B1 (en) | 2010-12-22 | 2014-11-18 | Juniper Networks, Inc. | Methods and apparatus for tunnel management within a data center |
US8934026B2 (en) | 2011-05-12 | 2015-01-13 | Cisco Technology, Inc. | System and method for video coding in a dynamic environment |
KR101953790B1 (en) * | 2012-02-27 | 2019-03-05 | 한국전자통신연구원 | Apparatus and method for cloud networking |
US9285865B2 (en) * | 2012-06-29 | 2016-03-15 | Oracle International Corporation | Dynamic link scaling based on bandwidth utilization |
US9681154B2 (en) | 2012-12-06 | 2017-06-13 | Patent Capital Group | System and method for depth-guided filtering in a video conference environment |
US9843621B2 (en) | 2013-05-17 | 2017-12-12 | Cisco Technology, Inc. | Calendaring activities based on communication processing |
US10187355B2 (en) * | 2016-09-27 | 2019-01-22 | Comscore, Inc. | Systems and methods for activating a private network |
US11947489B2 (en) | 2017-09-05 | 2024-04-02 | Robin Systems, Inc. | Creating snapshots of a storage volume in a distributed storage system |
US10579276B2 (en) | 2017-09-13 | 2020-03-03 | Robin Systems, Inc. | Storage scheme for a distributed storage system |
US10430105B2 (en) | 2017-09-13 | 2019-10-01 | Robin Systems, Inc. | Storage scheme for a distributed storage system |
US10452267B2 (en) | 2017-09-13 | 2019-10-22 | Robin Systems, Inc. | Storage scheme for a distributed storage system |
US10423344B2 (en) | 2017-09-19 | 2019-09-24 | Robin Systems, Inc. | Storage scheme for a distributed storage system |
US10534549B2 (en) | 2017-09-19 | 2020-01-14 | Robin Systems, Inc. | Maintaining consistency among copies of a logical storage volume in a distributed storage system |
US10846001B2 (en) | 2017-11-08 | 2020-11-24 | Robin Systems, Inc. | Allocating storage requirements in a distributed storage system |
US10782887B2 (en) | 2017-11-08 | 2020-09-22 | Robin Systems, Inc. | Window-based prority tagging of IOPs in a distributed storage system |
US10430110B2 (en) | 2017-12-19 | 2019-10-01 | Robin Systems, Inc. | Implementing a hybrid storage node in a distributed storage system |
US10430292B2 (en) | 2017-12-19 | 2019-10-01 | Robin Systems, Inc. | Snapshot deletion in a distributed storage system |
US10452308B2 (en) | 2017-12-19 | 2019-10-22 | Robin Systems, Inc. | Encoding tags for metadata entries in a storage system |
US11099937B2 (en) | 2018-01-11 | 2021-08-24 | Robin Systems, Inc. | Implementing clone snapshots in a distributed storage system |
US11748203B2 (en) | 2018-01-11 | 2023-09-05 | Robin Systems, Inc. | Multi-role application orchestration in a distributed storage system |
US11392363B2 (en) * | 2018-01-11 | 2022-07-19 | Robin Systems, Inc. | Implementing application entrypoints with containers of a bundled application |
US10628235B2 (en) | 2018-01-11 | 2020-04-21 | Robin Systems, Inc. | Accessing log files of a distributed computing system using a simulated file system |
US11582168B2 (en) * | 2018-01-11 | 2023-02-14 | Robin Systems, Inc. | Fenced clone applications |
US10642697B2 (en) | 2018-01-11 | 2020-05-05 | Robin Systems, Inc. | Implementing containers for a stateful application in a distributed computing system |
US10896102B2 (en) | 2018-01-11 | 2021-01-19 | Robin Systems, Inc. | Implementing secure communication in a distributed computing system |
US10845997B2 (en) | 2018-01-12 | 2020-11-24 | Robin Systems, Inc. | Job manager for deploying a bundled application |
US10579364B2 (en) | 2018-01-12 | 2020-03-03 | Robin Systems, Inc. | Upgrading bundled applications in a distributed computing system |
US10846137B2 (en) | 2018-01-12 | 2020-11-24 | Robin Systems, Inc. | Dynamic adjustment of application resources in a distributed computing system |
US10642694B2 (en) | 2018-01-12 | 2020-05-05 | Robin Systems, Inc. | Monitoring containers in a distributed computing system |
US11023328B2 (en) | 2018-07-30 | 2021-06-01 | Robin Systems, Inc. | Redo log for append only storage scheme |
US10976938B2 (en) | 2018-07-30 | 2021-04-13 | Robin Systems, Inc. | Block map cache |
US10817380B2 (en) | 2018-07-31 | 2020-10-27 | Robin Systems, Inc. | Implementing affinity and anti-affinity constraints in a bundled application |
US10599622B2 (en) | 2018-07-31 | 2020-03-24 | Robin Systems, Inc. | Implementing storage volumes over multiple tiers |
US10659301B2 (en) | 2018-08-24 | 2020-05-19 | Cisco Technology, Inc. | Configuring container attribute data on network switches to enable networking functionality |
US10908848B2 (en) | 2018-10-22 | 2021-02-02 | Robin Systems, Inc. | Automated management of bundled applications |
US11036439B2 (en) | 2018-10-22 | 2021-06-15 | Robin Systems, Inc. | Automated management of bundled applications |
US10620871B1 (en) | 2018-11-15 | 2020-04-14 | Robin Systems, Inc. | Storage scheme for a distributed storage system |
EP3900307A1 (en) * | 2018-12-20 | 2021-10-27 | Ecolab USA, Inc. | Adaptive route, bi-directional network communication |
US11086725B2 (en) | 2019-03-25 | 2021-08-10 | Robin Systems, Inc. | Orchestration of heterogeneous multi-role applications |
US11256434B2 (en) | 2019-04-17 | 2022-02-22 | Robin Systems, Inc. | Data de-duplication |
US10831387B1 (en) | 2019-05-02 | 2020-11-10 | Robin Systems, Inc. | Snapshot reservations in a distributed storage system |
US10877684B2 (en) | 2019-05-15 | 2020-12-29 | Robin Systems, Inc. | Changing a distributed storage volume from non-replicated to replicated |
US11436053B2 (en) | 2019-05-24 | 2022-09-06 | Microsoft Technology Licensing, Llc | Third-party hardware integration in virtual networks |
US11226847B2 (en) | 2019-08-29 | 2022-01-18 | Robin Systems, Inc. | Implementing an application manifest in a node-specific manner using an intent-based orchestrator |
US11249851B2 (en) | 2019-09-05 | 2022-02-15 | Robin Systems, Inc. | Creating snapshots of a storage volume in a distributed storage system |
US11520650B2 (en) | 2019-09-05 | 2022-12-06 | Robin Systems, Inc. | Performing root cause analysis in a multi-role application |
US11113158B2 (en) | 2019-10-04 | 2021-09-07 | Robin Systems, Inc. | Rolling back kubernetes applications |
US11347684B2 (en) | 2019-10-04 | 2022-05-31 | Robin Systems, Inc. | Rolling back KUBERNETES applications including custom resources |
US11403188B2 (en) | 2019-12-04 | 2022-08-02 | Robin Systems, Inc. | Operation-level consistency points and rollback |
US11108638B1 (en) | 2020-06-08 | 2021-08-31 | Robin Systems, Inc. | Health monitoring of automatically deployed and managed network pipelines |
US11528186B2 (en) | 2020-06-16 | 2022-12-13 | Robin Systems, Inc. | Automated initialization of bare metal servers |
US11740980B2 (en) | 2020-09-22 | 2023-08-29 | Robin Systems, Inc. | Managing snapshot metadata following backup |
US11743188B2 (en) | 2020-10-01 | 2023-08-29 | Robin Systems, Inc. | Check-in monitoring for workflows |
US11271895B1 (en) | 2020-10-07 | 2022-03-08 | Robin Systems, Inc. | Implementing advanced networking capabilities using helm charts |
US11456914B2 (en) | 2020-10-07 | 2022-09-27 | Robin Systems, Inc. | Implementing affinity and anti-affinity with KUBERNETES |
US11777848B2 (en) | 2020-10-14 | 2023-10-03 | Oracle International Corporation | Scalable routing and forwarding of packets in cloud infrastructure |
US11750451B2 (en) | 2020-11-04 | 2023-09-05 | Robin Systems, Inc. | Batch manager for complex workflows |
US11556361B2 (en) | 2020-12-09 | 2023-01-17 | Robin Systems, Inc. | Monitoring and managing of complex multi-role applications |
US11558245B1 (en) | 2021-10-29 | 2023-01-17 | Oracle International Corporation | Secure bi-directional network connectivity system between private networks |
US11736558B2 (en) | 2021-10-29 | 2023-08-22 | Oracle International Corporation | Transparent mounting of external endpoints between private networks |
Citations (30)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6041053A (en) * | 1997-09-18 | 2000-03-21 | Microsfot Corporation | Technique for efficiently classifying packets using a trie-indexed hierarchy forest that accommodates wildcards |
US6070219A (en) * | 1996-10-09 | 2000-05-30 | Intel Corporation | Hierarchical interrupt structure for event notification on multi-virtual circuit network interface controller |
US6131163A (en) * | 1998-02-17 | 2000-10-10 | Cisco Technology, Inc. | Network gateway mechanism having a protocol stack proxy |
US6163539A (en) * | 1998-04-28 | 2000-12-19 | Pmc-Sierra Ltd. | Firmware controlled transmit datapath for high-speed packet switches |
US20020052972A1 (en) * | 2000-08-29 | 2002-05-02 | Lg Electronics, Inc. | Communication method among a plurality of virtual LANs in an IP subnet |
US6477643B1 (en) * | 1996-12-27 | 2002-11-05 | Pact Gmbh | Process for automatic dynamic reloading of data flow processors (dfps) and units with two-or-three-dimensional programmable cell architectures (fpgas, dpgas, and the like) |
US20020169884A1 (en) * | 2001-05-14 | 2002-11-14 | Jean Sebastien A. | Network device mimic support |
US20030037154A1 (en) * | 2001-08-16 | 2003-02-20 | Poggio Andrew A. | Protocol processor |
US20030065676A1 (en) * | 2001-09-05 | 2003-04-03 | Microsoft Corporation | Methods and system of managing concurrent access to multiple resources |
US6600721B2 (en) * | 1998-12-31 | 2003-07-29 | Nortel Networks Limited | End node pacing for QOS and bandwidth management |
US6714960B1 (en) * | 1996-11-20 | 2004-03-30 | Silicon Graphics, Inc. | Earnings-based time-share scheduling |
US6757731B1 (en) * | 1999-02-25 | 2004-06-29 | Nortel Networks Limited | Apparatus and method for interfacing multiple protocol stacks in a communication network |
US6831893B1 (en) * | 2000-04-03 | 2004-12-14 | P-Cube, Ltd. | Apparatus and method for wire-speed classification and pre-processing of data packets in a full duplex network |
US20040267866A1 (en) * | 2003-06-24 | 2004-12-30 | International Business Machines Corporation | Virtual machine connection to a tangible network |
US6859841B2 (en) * | 1998-06-15 | 2005-02-22 | Intel Corporation | Programmable system for processing a partitioned network infrastructure |
US20050097226A1 (en) * | 2003-10-31 | 2005-05-05 | Sun Microsystems, Inc. | Methods and apparatus for dynamically switching between polling and interrupt to handle network traffic |
US20050111455A1 (en) * | 2003-11-20 | 2005-05-26 | Daiki Nozue | VLAN server |
US20050135243A1 (en) * | 2003-12-18 | 2005-06-23 | Lee Wang B. | System and method for guaranteeing quality of service in IP networks |
US20050138620A1 (en) * | 2003-12-18 | 2005-06-23 | Saul Lewites | Virtual network interface |
US6944168B2 (en) * | 2001-05-04 | 2005-09-13 | Slt Logic Llc | System and method for providing transformation of multi-protocol packets in a data stream |
US20060041667A1 (en) * | 2002-11-19 | 2006-02-23 | Gaeil Ahn | Method and apparatus for protecting legitimate traffic from dos and ddos attacks |
US20060045089A1 (en) * | 2004-08-27 | 2006-03-02 | International Business Machines Corporation | Method and apparatus for providing network virtualization |
US20060070066A1 (en) * | 2004-09-30 | 2006-03-30 | Grobman Steven L | Enabling platform network stack control in a virtualization platform |
US7046665B1 (en) * | 1999-10-26 | 2006-05-16 | Extreme Networks, Inc. | Provisional IP-aware virtual paths over networks |
US20060174324A1 (en) * | 2005-01-28 | 2006-08-03 | Zur Uri E | Method and system for mitigating denial of service in a communication network |
US7146431B2 (en) * | 1999-10-05 | 2006-12-05 | Veritas Operating Corporation | Virtual network environment |
US7177311B1 (en) * | 2002-06-04 | 2007-02-13 | Fortinet, Inc. | System and method for routing traffic through a virtual router-based network switch |
US20070038743A1 (en) * | 2005-05-17 | 2007-02-15 | Hellhake Paul R | System and method for communication in a wireless mobile ad-hoc network |
US7260102B2 (en) * | 2002-02-22 | 2007-08-21 | Nortel Networks Limited | Traffic switching using multi-dimensional packet classification |
US7313142B2 (en) * | 2002-06-07 | 2007-12-25 | Fujitsu Limited | Packet processing device |
-
2006
- 2006-12-20 US US11/642,756 patent/US7738457B2/en active Active
Patent Citations (30)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6070219A (en) * | 1996-10-09 | 2000-05-30 | Intel Corporation | Hierarchical interrupt structure for event notification on multi-virtual circuit network interface controller |
US6714960B1 (en) * | 1996-11-20 | 2004-03-30 | Silicon Graphics, Inc. | Earnings-based time-share scheduling |
US6477643B1 (en) * | 1996-12-27 | 2002-11-05 | Pact Gmbh | Process for automatic dynamic reloading of data flow processors (dfps) and units with two-or-three-dimensional programmable cell architectures (fpgas, dpgas, and the like) |
US6041053A (en) * | 1997-09-18 | 2000-03-21 | Microsfot Corporation | Technique for efficiently classifying packets using a trie-indexed hierarchy forest that accommodates wildcards |
US6131163A (en) * | 1998-02-17 | 2000-10-10 | Cisco Technology, Inc. | Network gateway mechanism having a protocol stack proxy |
US6163539A (en) * | 1998-04-28 | 2000-12-19 | Pmc-Sierra Ltd. | Firmware controlled transmit datapath for high-speed packet switches |
US6859841B2 (en) * | 1998-06-15 | 2005-02-22 | Intel Corporation | Programmable system for processing a partitioned network infrastructure |
US6600721B2 (en) * | 1998-12-31 | 2003-07-29 | Nortel Networks Limited | End node pacing for QOS and bandwidth management |
US6757731B1 (en) * | 1999-02-25 | 2004-06-29 | Nortel Networks Limited | Apparatus and method for interfacing multiple protocol stacks in a communication network |
US7146431B2 (en) * | 1999-10-05 | 2006-12-05 | Veritas Operating Corporation | Virtual network environment |
US7046665B1 (en) * | 1999-10-26 | 2006-05-16 | Extreme Networks, Inc. | Provisional IP-aware virtual paths over networks |
US6831893B1 (en) * | 2000-04-03 | 2004-12-14 | P-Cube, Ltd. | Apparatus and method for wire-speed classification and pre-processing of data packets in a full duplex network |
US20020052972A1 (en) * | 2000-08-29 | 2002-05-02 | Lg Electronics, Inc. | Communication method among a plurality of virtual LANs in an IP subnet |
US6944168B2 (en) * | 2001-05-04 | 2005-09-13 | Slt Logic Llc | System and method for providing transformation of multi-protocol packets in a data stream |
US20020169884A1 (en) * | 2001-05-14 | 2002-11-14 | Jean Sebastien A. | Network device mimic support |
US20030037154A1 (en) * | 2001-08-16 | 2003-02-20 | Poggio Andrew A. | Protocol processor |
US20030065676A1 (en) * | 2001-09-05 | 2003-04-03 | Microsoft Corporation | Methods and system of managing concurrent access to multiple resources |
US7260102B2 (en) * | 2002-02-22 | 2007-08-21 | Nortel Networks Limited | Traffic switching using multi-dimensional packet classification |
US7177311B1 (en) * | 2002-06-04 | 2007-02-13 | Fortinet, Inc. | System and method for routing traffic through a virtual router-based network switch |
US7313142B2 (en) * | 2002-06-07 | 2007-12-25 | Fujitsu Limited | Packet processing device |
US20060041667A1 (en) * | 2002-11-19 | 2006-02-23 | Gaeil Ahn | Method and apparatus for protecting legitimate traffic from dos and ddos attacks |
US20040267866A1 (en) * | 2003-06-24 | 2004-12-30 | International Business Machines Corporation | Virtual machine connection to a tangible network |
US20050097226A1 (en) * | 2003-10-31 | 2005-05-05 | Sun Microsystems, Inc. | Methods and apparatus for dynamically switching between polling and interrupt to handle network traffic |
US20050111455A1 (en) * | 2003-11-20 | 2005-05-26 | Daiki Nozue | VLAN server |
US20050138620A1 (en) * | 2003-12-18 | 2005-06-23 | Saul Lewites | Virtual network interface |
US20050135243A1 (en) * | 2003-12-18 | 2005-06-23 | Lee Wang B. | System and method for guaranteeing quality of service in IP networks |
US20060045089A1 (en) * | 2004-08-27 | 2006-03-02 | International Business Machines Corporation | Method and apparatus for providing network virtualization |
US20060070066A1 (en) * | 2004-09-30 | 2006-03-30 | Grobman Steven L | Enabling platform network stack control in a virtualization platform |
US20060174324A1 (en) * | 2005-01-28 | 2006-08-03 | Zur Uri E | Method and system for mitigating denial of service in a communication network |
US20070038743A1 (en) * | 2005-05-17 | 2007-02-15 | Hellhake Paul R | System and method for communication in a wireless mobile ad-hoc network |
Cited By (261)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070171904A1 (en) * | 2006-01-24 | 2007-07-26 | Intel Corporation | Traffic separation in a multi-stack computing platform using VLANs |
US20070189308A1 (en) * | 2006-02-16 | 2007-08-16 | Izoslav Tchigevsky | Virtual machine networking using wireless bridge emulation |
US20080195781A1 (en) * | 2007-02-14 | 2008-08-14 | Samsung Electronics Co., Ltd. | Method and apparatus for data processing in mobile communication system |
US8392632B2 (en) * | 2007-02-14 | 2013-03-05 | Samsung Electronics Co., Ltd | Method and apparatus for data processing in mobile communication system |
US8738896B2 (en) * | 2008-01-09 | 2014-05-27 | Fujitsu Limited | Virtual machine execution program and information processing device |
US20100269167A1 (en) * | 2008-01-09 | 2010-10-21 | Fujitsu Limited | Virtual machine execution program and information processing device |
US9961144B2 (en) | 2008-03-20 | 2018-05-01 | Callahan Cellular L.L.C. | Data storage and retrieval |
US20090238167A1 (en) * | 2008-03-20 | 2009-09-24 | Genedics, Llp | Redundant Data Forwarding Storage |
US8909738B2 (en) | 2008-03-20 | 2014-12-09 | Tajitshu Transfer Limited Liability Company | Redundant data forwarding storage |
US9203928B2 (en) | 2008-03-20 | 2015-12-01 | Callahan Cellular L.L.C. | Data storage and retrieval |
US8458285B2 (en) | 2008-03-20 | 2013-06-04 | Post Dahl Co. Limited Liability Company | Redundant data forwarding storage |
US10601708B2 (en) | 2008-03-31 | 2020-03-24 | Amazon Technologies, Inc. | Authorizing communications between computing nodes |
US9577926B2 (en) * | 2008-03-31 | 2017-02-21 | Amazon Technologies, Inc. | Authorizing communications between computing nodes |
US10218613B2 (en) | 2008-03-31 | 2019-02-26 | Amazon Technologies, Inc. | Authorizing communications between computing nodes |
US11240092B2 (en) | 2008-03-31 | 2022-02-01 | Amazon Technologies, Inc. | Authorizing communications between computing nodes |
US9705792B2 (en) | 2008-03-31 | 2017-07-11 | Amazon Technologies, Inc. | Authorizing communications between computing nodes |
US20130205042A1 (en) * | 2008-03-31 | 2013-08-08 | Amazon Technologies, Inc. | Authorizing communications between computing nodes |
US20110167131A1 (en) * | 2008-04-25 | 2011-07-07 | Tajitshu Transfer Limited Liability Company | Real-time communications over data forwarding framework |
US8386585B2 (en) | 2008-04-25 | 2013-02-26 | Tajitshu Transfer Limited Liability Company | Real-time communications over data forwarding framework |
US20110125721A1 (en) * | 2008-05-07 | 2011-05-26 | Tajitshu Transfer Limited Liability Company | Deletion in data file forwarding framework |
US8452844B2 (en) | 2008-05-07 | 2013-05-28 | Tajitshu Transfer Limited Liability Company | Deletion in data file forwarding framework |
US8370446B2 (en) | 2008-07-10 | 2013-02-05 | Tajitshu Transfer Limited Liability Company | Advertisement forwarding storage and retrieval network |
US8599678B2 (en) | 2008-07-10 | 2013-12-03 | Tajitshu Transfer Limited Liability Company | Media delivery in data forwarding storage network |
US20100011086A1 (en) * | 2008-07-10 | 2010-01-14 | Gene Fein | Media delivery in data forwarding storage network |
US7673009B2 (en) | 2008-07-10 | 2010-03-02 | Gene Fein | Media delivery in data forwarding storage network |
US8356078B2 (en) | 2008-08-01 | 2013-01-15 | Tajitshu Transfer Limited Liability Company | Multi-homed data forwarding storage |
US8352635B2 (en) | 2008-09-29 | 2013-01-08 | Tajitshu Transfer Limited Liability Company | Geolocation assisted data forwarding storage |
US20110170547A1 (en) * | 2008-09-29 | 2011-07-14 | Tajitshu Transfer Limited Liability Company | Geolocation assisted data forwarding storage |
US20110173290A1 (en) * | 2008-09-29 | 2011-07-14 | Tajitshu Transfer Limited Liability Company | Rotating encryption in data forwarding storage |
US20110167127A1 (en) * | 2008-09-29 | 2011-07-07 | Tajitshu Transfer Limited Liability Company | Measurement in data forwarding storage |
US8478823B2 (en) | 2008-09-29 | 2013-07-02 | Tajitshu Transfer Limited Liability Company | Selective data forwarding storage |
US8489687B2 (en) | 2008-09-29 | 2013-07-16 | Tajitshu Transfer Limited Liability Company | Rotating encryption in data forwarding storage |
US8554866B2 (en) | 2008-09-29 | 2013-10-08 | Tajitshu Transfer Limited Liability Company | Measurement in data forwarding storage |
US20110090853A1 (en) * | 2008-10-10 | 2011-04-21 | Rajarathnam Chandramouli | Method and apparatus for dynamic spectrum access |
US8699430B2 (en) | 2008-10-10 | 2014-04-15 | The Trustees Of The Stevens Institute Of Technology | Method and apparatus for dynamic spectrum access |
US20100135226A1 (en) * | 2008-10-10 | 2010-06-03 | Rajarathnam Chandramouli | Method and apparatus for dynamic spectrum access |
US8873580B2 (en) * | 2008-10-10 | 2014-10-28 | The Trustees Of The Stevens Institute Of Technology | Method and apparatus for dynamic spectrum access |
US20100333189A1 (en) * | 2009-06-30 | 2010-12-30 | Sun Microsystems, Inc. | Method and system for enforcing security policies on network traffic |
US9059965B2 (en) * | 2009-06-30 | 2015-06-16 | Oracle America, Inc. | Method and system for enforcing security policies on network traffic |
US8675644B2 (en) * | 2009-10-16 | 2014-03-18 | Oracle America, Inc. | Enhanced virtual switch |
US20110090910A1 (en) * | 2009-10-16 | 2011-04-21 | Sun Microsystems, Inc. | Enhanced virtual switch |
US20110202685A1 (en) * | 2010-02-16 | 2011-08-18 | Narayanan Subramaniam | System and Method for Communication Between an Information Handling System and Management Controller Through a Shared LOM |
CN102801695A (en) * | 2011-05-27 | 2012-11-28 | 华耀(中国)科技有限公司 | Communication equipment for virtual private network and data packet transmission method for communication equipment |
US20130148656A1 (en) * | 2011-08-17 | 2013-06-13 | Nicira, Inc. | Logical L3 Daemon |
US9319375B2 (en) * | 2011-08-17 | 2016-04-19 | Nicira, Inc. | Flow templating in logical L3 routing |
US11695695B2 (en) | 2011-08-17 | 2023-07-04 | Nicira, Inc. | Logical L3 daemon |
US20130142048A1 (en) * | 2011-08-17 | 2013-06-06 | Nicira, Inc. | Flow templating in logical l3 routing |
US20130148542A1 (en) * | 2011-08-17 | 2013-06-13 | Nicira, Inc. | Handling nat in logical l3 routing |
US9461960B2 (en) * | 2011-08-17 | 2016-10-04 | Nicira, Inc. | Logical L3 daemon |
US9602404B2 (en) | 2011-08-17 | 2017-03-21 | Nicira, Inc. | Last-hop processing for reverse direction packets |
US20190028389A1 (en) * | 2011-08-17 | 2019-01-24 | Nicira, Inc. | Logical l3 daemon |
US10868761B2 (en) * | 2011-08-17 | 2020-12-15 | Nicira, Inc. | Logical L3 daemon |
US9350696B2 (en) * | 2011-08-17 | 2016-05-24 | Nicira, Inc. | Handling NAT in logical L3 routing |
US10027584B2 (en) | 2011-08-17 | 2018-07-17 | Nicira, Inc. | Distributed logical L3 routing |
US10089127B2 (en) | 2011-11-15 | 2018-10-02 | Nicira, Inc. | Control plane interface for logical middlebox services |
US10884780B2 (en) | 2011-11-15 | 2021-01-05 | Nicira, Inc. | Architecture of networks with middleboxes |
US10514941B2 (en) | 2011-11-15 | 2019-12-24 | Nicira, Inc. | Load balancing and destination network address translation middleboxes |
US11593148B2 (en) | 2011-11-15 | 2023-02-28 | Nicira, Inc. | Network control system for configuring middleboxes |
US11372671B2 (en) | 2011-11-15 | 2022-06-28 | Nicira, Inc. | Architecture of networks with middleboxes |
US10977067B2 (en) | 2011-11-15 | 2021-04-13 | Nicira, Inc. | Control plane interface for logical middlebox services |
US10310886B2 (en) | 2011-11-15 | 2019-06-04 | Nicira, Inc. | Network control system for configuring middleboxes |
US10235199B2 (en) | 2011-11-15 | 2019-03-19 | Nicira, Inc. | Migrating middlebox state for distributed middleboxes |
US11740923B2 (en) | 2011-11-15 | 2023-08-29 | Nicira, Inc. | Architecture of networks with middleboxes |
US9697030B2 (en) | 2011-11-15 | 2017-07-04 | Nicira, Inc. | Connection identifier assignment and source network address translation |
US10191763B2 (en) | 2011-11-15 | 2019-01-29 | Nicira, Inc. | Architecture of networks with middleboxes |
US10922124B2 (en) | 2011-11-15 | 2021-02-16 | Nicira, Inc. | Network control system for configuring middleboxes |
US10949248B2 (en) | 2011-11-15 | 2021-03-16 | Nicira, Inc. | Load balancing and destination network address translation middleboxes |
US20130230048A1 (en) * | 2012-03-02 | 2013-09-05 | Nec (China) Co., Ltd. | Server interconnection system, server, and data forwarding method |
US9172641B2 (en) * | 2012-03-02 | 2015-10-27 | Nec (China) Co., Ltd. | Server interconnection system, server, and data forwarding method |
US11783089B2 (en) | 2013-03-29 | 2023-10-10 | Secturion Systems, Inc. | Multi-tenancy architecture |
US11288402B2 (en) | 2013-03-29 | 2022-03-29 | Secturion Systems, Inc. | Security device with programmable systolic-matrix cryptographic module and programmable input/output interface |
US9858442B1 (en) | 2013-03-29 | 2018-01-02 | Secturion Systems, Inc. | Multi-tenancy architecture |
US11063914B1 (en) | 2013-03-29 | 2021-07-13 | Secturion Systems, Inc. | Secure end-to-end communication system |
US10013580B2 (en) | 2013-03-29 | 2018-07-03 | Secturion Systems, Inc. | Security device with programmable systolic-matrix cryptographic module and programmable input/output interface |
US11921906B2 (en) | 2013-03-29 | 2024-03-05 | Secturion Systems, Inc. | Security device with programmable systolic-matrix cryptographic module and programmable input/output interface |
US9798899B1 (en) | 2013-03-29 | 2017-10-24 | Secturion Systems, Inc. | Replaceable or removable physical interface input/output module |
US10902155B2 (en) | 2013-03-29 | 2021-01-26 | Secturion Systems, Inc. | Multi-tenancy architecture |
US20170075821A1 (en) * | 2013-04-01 | 2017-03-16 | Secturion Systems, Inc. | Multi-level independent security architecture |
US9524399B1 (en) * | 2013-04-01 | 2016-12-20 | Secturion Systems, Inc. | Multi-level independent security architecture |
US10114766B2 (en) * | 2013-04-01 | 2018-10-30 | Secturion Systems, Inc. | Multi-level independent security architecture |
US20190050348A1 (en) * | 2013-04-01 | 2019-02-14 | Secturion Systems, Inc. | Multi-level independent security architecture |
US11429540B2 (en) * | 2013-04-01 | 2022-08-30 | Secturion Systems, Inc. | Multi-level independent security architecture |
US10057109B2 (en) * | 2013-04-22 | 2018-08-21 | Cisco Technology, Inc. | Defining interdependent virtualized network functions for service level orchestration |
US20140317261A1 (en) * | 2013-04-22 | 2014-10-23 | Cisco Technology, Inc. | Defining interdependent virtualized network functions for service level orchestration |
US9952885B2 (en) | 2013-08-14 | 2018-04-24 | Nicira, Inc. | Generation of configuration files for a DHCP module executing within a virtualized container |
US11695730B2 (en) | 2013-08-14 | 2023-07-04 | Nicira, Inc. | Providing services for logical networks |
US9887960B2 (en) | 2013-08-14 | 2018-02-06 | Nicira, Inc. | Providing services for logical networks |
US10764238B2 (en) | 2013-08-14 | 2020-09-01 | Nicira, Inc. | Providing services for logical networks |
US9548965B2 (en) | 2013-08-26 | 2017-01-17 | Nicira, Inc. | Proxy methods for suppressing broadcast traffic in a network |
US9531676B2 (en) | 2013-08-26 | 2016-12-27 | Nicira, Inc. | Proxy methods for suppressing broadcast traffic in a network |
US9577845B2 (en) | 2013-09-04 | 2017-02-21 | Nicira, Inc. | Multiple active L3 gateways for logical networks |
US10003534B2 (en) | 2013-09-04 | 2018-06-19 | Nicira, Inc. | Multiple active L3 gateways for logical networks |
US10389634B2 (en) | 2013-09-04 | 2019-08-20 | Nicira, Inc. | Multiple active L3 gateways for logical networks |
US9503371B2 (en) | 2013-09-04 | 2016-11-22 | Nicira, Inc. | High availability L3 gateways for logical networks |
US10063458B2 (en) | 2013-10-13 | 2018-08-28 | Nicira, Inc. | Asymmetric connection with external networks |
US9977685B2 (en) | 2013-10-13 | 2018-05-22 | Nicira, Inc. | Configuration of logical router |
US11029982B2 (en) | 2013-10-13 | 2021-06-08 | Nicira, Inc. | Configuration of logical router |
US9910686B2 (en) | 2013-10-13 | 2018-03-06 | Nicira, Inc. | Bridging between network segments with a logical router |
US10693763B2 (en) | 2013-10-13 | 2020-06-23 | Nicira, Inc. | Asymmetric connection with external networks |
US9785455B2 (en) | 2013-10-13 | 2017-10-10 | Nicira, Inc. | Logical router |
US10528373B2 (en) | 2013-10-13 | 2020-01-07 | Nicira, Inc. | Configuration of logical router |
US9575782B2 (en) | 2013-10-13 | 2017-02-21 | Nicira, Inc. | ARP for logical router |
US10110431B2 (en) | 2014-03-14 | 2018-10-23 | Nicira, Inc. | Logical router processing by network controller |
US10164881B2 (en) | 2014-03-14 | 2018-12-25 | Nicira, Inc. | Route advertisement by managed gateways |
US10567283B2 (en) | 2014-03-14 | 2020-02-18 | Nicira, Inc. | Route advertisement by managed gateways |
US9225597B2 (en) | 2014-03-14 | 2015-12-29 | Nicira, Inc. | Managed gateways peering with external router to attract ingress packets |
US9590901B2 (en) | 2014-03-14 | 2017-03-07 | Nicira, Inc. | Route advertisement by managed gateways |
US11025543B2 (en) | 2014-03-14 | 2021-06-01 | Nicira, Inc. | Route advertisement by managed gateways |
US11252024B2 (en) | 2014-03-21 | 2022-02-15 | Nicira, Inc. | Multiple levels of logical routers |
US10411955B2 (en) | 2014-03-21 | 2019-09-10 | Nicira, Inc. | Multiple levels of logical routers |
US9647883B2 (en) | 2014-03-21 | 2017-05-09 | Nicria, Inc. | Multiple levels of logical routers |
US9893988B2 (en) | 2014-03-27 | 2018-02-13 | Nicira, Inc. | Address resolution using multiple designated instances of a logical router |
US11190443B2 (en) | 2014-03-27 | 2021-11-30 | Nicira, Inc. | Address resolution using multiple designated instances of a logical router |
US9413644B2 (en) | 2014-03-27 | 2016-08-09 | Nicira, Inc. | Ingress ECMP in virtual distributed routing environment |
US11736394B2 (en) | 2014-03-27 | 2023-08-22 | Nicira, Inc. | Address resolution using multiple designated instances of a logical router |
US9832112B2 (en) | 2014-03-31 | 2017-11-28 | Nicira, Inc. | Using different TCP/IP stacks for different hypervisor services |
US9729679B2 (en) | 2014-03-31 | 2017-08-08 | Nicira, Inc. | Using different TCP/IP stacks for different tenants on a multi-tenant host |
US9667528B2 (en) | 2014-03-31 | 2017-05-30 | Vmware, Inc. | Fast lookup and update of current hop limit |
US9940180B2 (en) | 2014-03-31 | 2018-04-10 | Nicira, Inc. | Using loopback interfaces of multiple TCP/IP stacks for communication between processes |
US10187294B2 (en) | 2014-03-31 | 2019-01-22 | Vmware, Inc. | Fast lookup and update of current hop limit |
US10091125B2 (en) | 2014-03-31 | 2018-10-02 | Nicira, Inc. | Using different TCP/IP stacks with separately allocated resources |
US10841204B2 (en) | 2014-03-31 | 2020-11-17 | Vmware, Inc. | Fast lookup and update of current hop limit |
US20150350057A1 (en) * | 2014-06-03 | 2015-12-03 | National Cheng Kung University | Switchless network topology system for parallel computation and method thereof |
US9584401B2 (en) * | 2014-06-03 | 2017-02-28 | National Cheng Kung University | Switchless network topology system for parallel computation and method thereof |
US9577927B2 (en) | 2014-06-30 | 2017-02-21 | Nicira, Inc. | Encoding control plane information in transport protocol source port field and applications thereof in network virtualization |
US10135635B2 (en) | 2014-06-30 | 2018-11-20 | Nicira, Inc. | Encoding control plane information in transport protocol source port field and applications thereof in network virtualization |
US11483175B2 (en) | 2014-09-30 | 2022-10-25 | Nicira, Inc. | Virtual distributed bridging |
US10250443B2 (en) | 2014-09-30 | 2019-04-02 | Nicira, Inc. | Using physical location to modify behavior of a distributed virtual network element |
US11252037B2 (en) | 2014-09-30 | 2022-02-15 | Nicira, Inc. | Using physical location to modify behavior of a distributed virtual network element |
US10020960B2 (en) | 2014-09-30 | 2018-07-10 | Nicira, Inc. | Virtual distributed bridging |
US9768980B2 (en) | 2014-09-30 | 2017-09-19 | Nicira, Inc. | Virtual distributed bridging |
US10511458B2 (en) | 2014-09-30 | 2019-12-17 | Nicira, Inc. | Virtual distributed bridging |
US11283731B2 (en) | 2015-01-30 | 2022-03-22 | Nicira, Inc. | Logical router with multiple routing components |
US11799800B2 (en) | 2015-01-30 | 2023-10-24 | Nicira, Inc. | Logical router with multiple routing components |
US10129180B2 (en) | 2015-01-30 | 2018-11-13 | Nicira, Inc. | Transit logical switch within logical router |
US10700996B2 (en) | 2015-01-30 | 2020-06-30 | Nicira, Inc | Logical router with multiple routing components |
US10079779B2 (en) | 2015-01-30 | 2018-09-18 | Nicira, Inc. | Implementing logical router uplinks |
US10038628B2 (en) | 2015-04-04 | 2018-07-31 | Nicira, Inc. | Route server mode for dynamic routing between logical and physical networks |
US11601362B2 (en) | 2015-04-04 | 2023-03-07 | Nicira, Inc. | Route server mode for dynamic routing between logical and physical networks |
US10652143B2 (en) | 2015-04-04 | 2020-05-12 | Nicira, Inc | Route server mode for dynamic routing between logical and physical networks |
US10649847B2 (en) * | 2015-05-11 | 2020-05-12 | Nec Corporation | Communication apparatus, system, method, and non-transitory medium |
US20180159716A1 (en) * | 2015-05-11 | 2018-06-07 | Nec Corporation | Communication apparatus, system, method, and non-transitory medium |
US20180165156A1 (en) * | 2015-05-11 | 2018-06-14 | Nec Corporation | Communication apparatus, system, method, and non-transitory medium |
US10601632B2 (en) * | 2015-05-11 | 2020-03-24 | Nec Corporation | Communication apparatus, system, method, and non-transitory medium for securing network communication |
US10361952B2 (en) | 2015-06-30 | 2019-07-23 | Nicira, Inc. | Intermediate logical interfaces in a virtual distributed router environment |
US10693783B2 (en) | 2015-06-30 | 2020-06-23 | Nicira, Inc. | Intermediate logical interfaces in a virtual distributed router environment |
US10348625B2 (en) | 2015-06-30 | 2019-07-09 | Nicira, Inc. | Sharing common L2 segment in a virtual distributed router environment |
US11799775B2 (en) | 2015-06-30 | 2023-10-24 | Nicira, Inc. | Intermediate logical interfaces in a virtual distributed router environment |
US11050666B2 (en) | 2015-06-30 | 2021-06-29 | Nicira, Inc. | Intermediate logical interfaces in a virtual distributed router environment |
US10225184B2 (en) | 2015-06-30 | 2019-03-05 | Nicira, Inc. | Redirecting traffic in a virtual distributed router environment |
US11533256B2 (en) | 2015-08-11 | 2022-12-20 | Nicira, Inc. | Static route configuration for logical router |
US10129142B2 (en) | 2015-08-11 | 2018-11-13 | Nicira, Inc. | Route configuration for logical router |
US10805212B2 (en) | 2015-08-11 | 2020-10-13 | Nicira, Inc. | Static route configuration for logical router |
US10230629B2 (en) | 2015-08-11 | 2019-03-12 | Nicira, Inc. | Static route configuration for logical router |
US10075363B2 (en) | 2015-08-31 | 2018-09-11 | Nicira, Inc. | Authorization for advertised routes among logical routers |
US10057157B2 (en) | 2015-08-31 | 2018-08-21 | Nicira, Inc. | Automatically advertising NAT routes between logical routers |
US10601700B2 (en) | 2015-08-31 | 2020-03-24 | Nicira, Inc. | Authorization for advertised routes among logical routers |
US11425021B2 (en) | 2015-08-31 | 2022-08-23 | Nicira, Inc. | Authorization for advertised routes among logical routers |
US11283774B2 (en) | 2015-09-17 | 2022-03-22 | Secturion Systems, Inc. | Cloud storage using encryption gateway with certificate authority identification |
US11792169B2 (en) | 2015-09-17 | 2023-10-17 | Secturion Systems, Inc. | Cloud storage using encryption gateway with certificate authority identification |
US10708236B2 (en) | 2015-10-26 | 2020-07-07 | Secturion Systems, Inc. | Multi-independent level secure (MILS) storage encryption |
US11750571B2 (en) | 2015-10-26 | 2023-09-05 | Secturion Systems, Inc. | Multi-independent level secure (MILS) storage encryption |
US10795716B2 (en) | 2015-10-31 | 2020-10-06 | Nicira, Inc. | Static route types for logical routers |
US11593145B2 (en) | 2015-10-31 | 2023-02-28 | Nicira, Inc. | Static route types for logical routers |
US10095535B2 (en) | 2015-10-31 | 2018-10-09 | Nicira, Inc. | Static route types for logical routers |
EP3429144A1 (en) * | 2015-11-17 | 2019-01-16 | Juniper Networks, Inc. | Network device data plane sandboxes for third-party controlled packet forwarding paths |
US10505868B2 (en) | 2015-11-17 | 2019-12-10 | Juniper Networks, Inc. | Network device data plane sandboxes for third-party controlled packet forwarding paths |
CN111371617A (en) * | 2015-11-17 | 2020-07-03 | 丛林网络公司 | Third party controlled network device data plane sandbox for packet forwarding path |
WO2017160605A1 (en) * | 2016-03-17 | 2017-09-21 | Microsoft Technology Licensing, Llc | Network virtualization of containers in computing systems |
US10333849B2 (en) | 2016-04-28 | 2019-06-25 | Nicira, Inc. | Automatic configuration of logical routers on edge nodes |
US11502958B2 (en) | 2016-04-28 | 2022-11-15 | Nicira, Inc. | Automatic configuration of logical routers on edge nodes |
US10805220B2 (en) | 2016-04-28 | 2020-10-13 | Nicira, Inc. | Automatic configuration of logical routers on edge nodes |
US11855959B2 (en) | 2016-04-29 | 2023-12-26 | Nicira, Inc. | Implementing logical DHCP servers in logical networks |
US10841273B2 (en) | 2016-04-29 | 2020-11-17 | Nicira, Inc. | Implementing logical DHCP servers in logical networks |
US10484515B2 (en) | 2016-04-29 | 2019-11-19 | Nicira, Inc. | Implementing logical metadata proxy servers in logical networks |
US10091161B2 (en) | 2016-04-30 | 2018-10-02 | Nicira, Inc. | Assignment of router ID for logical routers |
US10749801B2 (en) | 2016-06-29 | 2020-08-18 | Nicira, Inc. | Installation of routing tables for logical router in route server mode |
US10560320B2 (en) | 2016-06-29 | 2020-02-11 | Nicira, Inc. | Ranking of gateways in cluster |
US11418445B2 (en) | 2016-06-29 | 2022-08-16 | Nicira, Inc. | Installation of routing tables for logical router in route server mode |
US10153973B2 (en) | 2016-06-29 | 2018-12-11 | Nicira, Inc. | Installation of routing tables for logical router in route server mode |
WO2018036452A1 (en) * | 2016-08-25 | 2018-03-01 | Huawei Technologies Co., Ltd. | Device and method for managing a communication interface of a communication device |
US10938619B2 (en) * | 2016-08-30 | 2021-03-02 | ColorTokens, Inc. | Allocation of virtual interfaces to containers |
US10454758B2 (en) | 2016-08-31 | 2019-10-22 | Nicira, Inc. | Edge node cluster network redundancy and fast convergence using an underlay anycast VTEP IP |
US11539574B2 (en) | 2016-08-31 | 2022-12-27 | Nicira, Inc. | Edge node cluster network redundancy and fast convergence using an underlay anycast VTEP IP |
US10452419B2 (en) | 2016-09-09 | 2019-10-22 | Huawei Technologies Co., Ltd. | Device virtualization for containers |
WO2018045921A1 (en) * | 2016-09-09 | 2018-03-15 | Huawei Technologies Co., Ltd. | Device virtualization for containers |
US10911360B2 (en) | 2016-09-30 | 2021-02-02 | Nicira, Inc. | Anycast edge service gateways |
US10341236B2 (en) | 2016-09-30 | 2019-07-02 | Nicira, Inc. | Anycast edge service gateways |
US20180115514A1 (en) * | 2016-10-24 | 2018-04-26 | Nubeva, Inc. | Providing Scalable Cloud-Based Security Services |
US10419394B2 (en) * | 2016-10-24 | 2019-09-17 | Nubeva, Inc. | Providing scalable cloud-based security services |
US10237123B2 (en) | 2016-12-21 | 2019-03-19 | Nicira, Inc. | Dynamic recovery from a split-brain failure in edge nodes |
US11665242B2 (en) | 2016-12-21 | 2023-05-30 | Nicira, Inc. | Bypassing a load balancer in a return path of network traffic |
US10645204B2 (en) | 2016-12-21 | 2020-05-05 | Nicira, Inc | Dynamic recovery from a split-brain failure in edge nodes |
US10742746B2 (en) | 2016-12-21 | 2020-08-11 | Nicira, Inc. | Bypassing a load balancer in a return path of network traffic |
US10212071B2 (en) | 2016-12-21 | 2019-02-19 | Nicira, Inc. | Bypassing a load balancer in a return path of network traffic |
US10616045B2 (en) | 2016-12-22 | 2020-04-07 | Nicira, Inc. | Migration of centralized routing components of logical router |
US11115262B2 (en) | 2016-12-22 | 2021-09-07 | Nicira, Inc. | Migration of centralized routing components of logical router |
US11843575B2 (en) * | 2017-01-13 | 2023-12-12 | Citrix Systems, Inc. | Systems and methods to run user space network stack inside docker container while bypassing container linux network stack |
EP3590047A4 (en) * | 2017-02-28 | 2021-04-14 | Arista Networks, Inc. | System and method of network operating system containers |
US10374827B2 (en) | 2017-11-14 | 2019-08-06 | Nicira, Inc. | Identifier that maps to different networks at different datacenters |
US10511459B2 (en) | 2017-11-14 | 2019-12-17 | Nicira, Inc. | Selection of managed forwarding element for bridge spanning multiple datacenters |
US11336486B2 (en) | 2017-11-14 | 2022-05-17 | Nicira, Inc. | Selection of managed forwarding element for bridge spanning multiple datacenters |
US11637849B1 (en) | 2017-11-27 | 2023-04-25 | Lacework Inc. | Graph-based query composition |
US11792284B1 (en) | 2017-11-27 | 2023-10-17 | Lacework, Inc. | Using data transformations for monitoring a cloud compute environment |
US11770398B1 (en) | 2017-11-27 | 2023-09-26 | Lacework, Inc. | Guided anomaly detection framework |
US11765249B2 (en) | 2017-11-27 | 2023-09-19 | Lacework, Inc. | Facilitating developer efficiency and application quality |
US11849000B2 (en) | 2017-11-27 | 2023-12-19 | Lacework, Inc. | Using real-time monitoring to inform static analysis |
US11916947B2 (en) | 2017-11-27 | 2024-02-27 | Lacework, Inc. | Generating user-specific polygraphs for network activity |
US11741238B2 (en) | 2017-11-27 | 2023-08-29 | Lacework, Inc. | Dynamically generating monitoring tools for software applications |
US11134093B1 (en) | 2017-11-27 | 2021-09-28 | Lacework Inc. | Extended user session tracking |
US11818156B1 (en) | 2017-11-27 | 2023-11-14 | Lacework, Inc. | Data lake-enabled security platform |
US11470172B1 (en) | 2017-11-27 | 2022-10-11 | Lacework Inc. | Using network connections to monitor a data center |
US11882141B1 (en) | 2017-11-27 | 2024-01-23 | Lacework Inc. | Graph-based query composition for monitoring an environment |
US11153339B1 (en) | 2017-11-27 | 2021-10-19 | Lacework Inc. | Using graph-based models to identify datacenter anomalies |
US11895135B2 (en) | 2017-11-27 | 2024-02-06 | Lacework, Inc. | Detecting anomalous behavior of a device |
US11689553B1 (en) | 2017-11-27 | 2023-06-27 | Lacework Inc. | User session-based generation of logical graphs and detection of anomalies |
US11677772B1 (en) | 2017-11-27 | 2023-06-13 | Lacework Inc. | Using graph-based models to identify anomalies in a network environment |
US11894984B2 (en) | 2017-11-27 | 2024-02-06 | Lacework, Inc. | Configuring cloud deployments based on learnings obtained by monitoring other cloud deployments |
US11909752B1 (en) | 2017-11-27 | 2024-02-20 | Lacework, Inc. | Detecting deviations from typical user behavior |
US11157502B1 (en) | 2017-11-27 | 2021-10-26 | Lacework Inc. | Extensible query interface for dynamic data compositions and filter applications |
US11785104B2 (en) | 2017-11-27 | 2023-10-10 | Lacework, Inc. | Learning from similar cloud deployments |
US10979339B2 (en) | 2018-01-12 | 2021-04-13 | Juniper Networks, Inc. | Node representations of packet forwarding path elements |
US10536375B2 (en) * | 2018-01-12 | 2020-01-14 | Juniper Networks, Inc. | Individual network device forwarding plane reset |
US20220124077A1 (en) * | 2018-08-15 | 2022-04-21 | Juniper Networks, Inc. | Secure forwarding of tenant workloads in virtual networks |
US10855531B2 (en) | 2018-08-30 | 2020-12-01 | Juniper Networks, Inc. | Multiple networks for virtual execution elements |
CN110875844A (en) * | 2018-08-30 | 2020-03-10 | 丛林网络公司 | Multiple virtual network interface support for virtual execution elements |
US11171830B2 (en) | 2018-08-30 | 2021-11-09 | Juniper Networks, Inc. | Multiple networks for virtual execution elements |
US10728145B2 (en) * | 2018-08-30 | 2020-07-28 | Juniper Networks, Inc. | Multiple virtual network interface support for virtual execution elements |
US11599380B2 (en) * | 2018-09-25 | 2023-03-07 | Microsoft Technology Licensing, Llc | Multi-tenant support on virtual machines in cloud computing networks |
US20210389967A1 (en) * | 2018-09-25 | 2021-12-16 | Microsoft Technology Licensing, Llc | Multi-tenant support on virtual machines in cloud computing networks |
US11159366B1 (en) * | 2018-09-28 | 2021-10-26 | Juniper Networks, Inc. | Service chaining for virtual execution elements |
US11316822B1 (en) | 2018-09-28 | 2022-04-26 | Juniper Networks, Inc. | Allocating external IP addresses from isolated pools |
US11716309B1 (en) | 2018-09-28 | 2023-08-01 | Juniper Networks, Inc. | Allocating external IP addresses from isolated pools |
US10931560B2 (en) | 2018-11-23 | 2021-02-23 | Vmware, Inc. | Using route type to determine routing protocol behavior |
US10797998B2 (en) | 2018-12-05 | 2020-10-06 | Vmware, Inc. | Route server for distributed routers using hierarchical routing protocol |
US10938788B2 (en) | 2018-12-12 | 2021-03-02 | Vmware, Inc. | Static routes for policy-based VPN |
US10841226B2 (en) | 2019-03-29 | 2020-11-17 | Juniper Networks, Inc. | Configuring service load balancers with specified backend virtual networks |
US11792126B2 (en) | 2019-03-29 | 2023-10-17 | Juniper Networks, Inc. | Configuring service load balancers with specified backend virtual networks |
US11669468B2 (en) | 2019-06-28 | 2023-06-06 | Hewlett Packard Enterprise Development Lp | Interconnect module for smart I/O |
US11593140B2 (en) | 2019-06-28 | 2023-02-28 | Hewlett Packard Enterprise Development Lp | Smart network interface card for smart I/O |
US11297106B2 (en) * | 2019-07-08 | 2022-04-05 | Secnap Network Security Corp. | Pre-routing intrusion protection for cloud based virtual computing environments |
US11095480B2 (en) | 2019-08-30 | 2021-08-17 | Vmware, Inc. | Traffic optimization using distributed edge services |
US11159343B2 (en) | 2019-08-30 | 2021-10-26 | Vmware, Inc. | Configuring traffic optimization using distributed edge services |
US11184191B1 (en) * | 2019-09-12 | 2021-11-23 | Trend Micro Incorporated | Inspection of network traffic on accelerated platforms |
US11188571B1 (en) | 2019-12-23 | 2021-11-30 | Lacework Inc. | Pod communication graph |
US11201955B1 (en) * | 2019-12-23 | 2021-12-14 | Lacework Inc. | Agent networking in a containerized environment |
US11770464B1 (en) | 2019-12-23 | 2023-09-26 | Lacework Inc. | Monitoring communications in a containerized environment |
US11256759B1 (en) | 2019-12-23 | 2022-02-22 | Lacework Inc. | Hierarchical graph analysis |
US11496437B2 (en) | 2020-04-06 | 2022-11-08 | Vmware, Inc. | Selective ARP proxy |
WO2021254079A1 (en) * | 2020-06-19 | 2021-12-23 | 华为技术有限公司 | Method for issuing route in campus network, and network device |
US11606294B2 (en) | 2020-07-16 | 2023-03-14 | Vmware, Inc. | Host computer configured to facilitate distributed SNAT service |
US11616755B2 (en) | 2020-07-16 | 2023-03-28 | Vmware, Inc. | Facilitating distributed SNAT service |
US11611613B2 (en) | 2020-07-24 | 2023-03-21 | Vmware, Inc. | Policy-based forwarding to a load balancer of a load balancing cluster |
US11451413B2 (en) | 2020-07-28 | 2022-09-20 | Vmware, Inc. | Method for advertising availability of distributed gateway service and machines at host computer |
US11902050B2 (en) | 2020-07-28 | 2024-02-13 | VMware LLC | Method for providing distributed gateway service at host computer |
US20220210113A1 (en) * | 2020-12-31 | 2022-06-30 | Juniper Networks, Inc. | Dynamically learning media access control and internet protocol addresses |
US11658933B2 (en) * | 2020-12-31 | 2023-05-23 | Juniper Networks, Inc. | Dynamically learning media access control and internet protocol addresses |
WO2022201544A1 (en) * | 2021-03-26 | 2022-09-29 | 日本電気株式会社 | Infrastructure system and communication method |
US11805101B2 (en) | 2021-04-06 | 2023-10-31 | Vmware, Inc. | Secured suppression of address discovery messages |
US11954130B1 (en) | 2021-11-19 | 2024-04-09 | Lacework Inc. | Alerting based on pod communication-based logical graph |
CN114629844A (en) * | 2022-02-28 | 2022-06-14 | 浙江大华技术股份有限公司 | Message forwarding method and device and electronic equipment |
Also Published As
Publication number | Publication date |
---|---|
US7738457B2 (en) | 2010-06-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7738457B2 (en) | Method and system for virtual routing using containers | |
US10972437B2 (en) | Applications and integrated firewall design in an adaptive private network (APN) | |
US7633864B2 (en) | Method and system for creating a demilitarized zone using network stack instances | |
EP3692685B1 (en) | Remotely controlling network slices in a network | |
US7630368B2 (en) | Virtual network interface card loopback fastpath | |
US8839409B2 (en) | Tunneled security groups | |
US7376125B1 (en) | Service processing switch | |
US9185056B2 (en) | System and methods for controlling network traffic through virtual switches | |
US8194667B2 (en) | Method and system for inheritance of network interface card capabilities | |
EP3580897B1 (en) | Method and apparatus for dynamic service chaining with segment routing for bng | |
EP3632064B1 (en) | Routing table selection in a policy based routing system | |
US20170070416A1 (en) | Method and apparatus for modifying forwarding states in a network device of a software defined network | |
EP3429144A1 (en) | Network device data plane sandboxes for third-party controlled packet forwarding paths | |
US8630296B2 (en) | Shared and separate network stack instances | |
EP2548346B1 (en) | Packet node for applying service path routing at the mac layer | |
US20080077694A1 (en) | Method and system for network security using multiple virtual network stack instances | |
EP4033702A1 (en) | Service providing method and system, and remote acceleration gateway | |
US11671483B2 (en) | In-band protocol-based in-network computation offload framework | |
CN114172852A (en) | Distributed broadband network gateway control packet priority channel | |
US8447880B2 (en) | Network stack instance architecture with selection of transport layers | |
CN113395212B (en) | Network device, method of operating the same, and non-transitory computer readable medium | |
Ranjbar et al. | Domain isolation in a multi-tenant software-defined network | |
Lei et al. | Can Host-Based SDNs Rival the Traffic Engineering Abilities of Switch-Based SDNs? | |
WO2021240215A1 (en) | Reordering and reframing packets | |
Gross et al. | RFC 8926: Geneve: Generic Network Virtualization Encapsulation |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: SUN MICROSYSTEMS, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:NORDMARK, ERIK;TRIPATHI, SUNAY;DROUX, NICOLAS G.;REEL/FRAME:018714/0530;SIGNING DATES FROM 20061218 TO 20061219 Owner name: SUN MICROSYSTEMS, INC.,CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:NORDMARK, ERIK;TRIPATHI, SUNAY;DROUX, NICOLAS G.;SIGNING DATES FROM 20061218 TO 20061219;REEL/FRAME:018714/0530 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
CC | Certificate of correction | ||
FPAY | Fee payment |
Year of fee payment: 4 |
|
AS | Assignment |
Owner name: ORACLE AMERICA, INC., CALIFORNIA Free format text: MERGER AND CHANGE OF NAME;ASSIGNORS:ORACLE USA, INC.;SUN MICROSYSTEMS, INC.;ORACLE AMERICA, INC.;REEL/FRAME:037306/0292 Effective date: 20100212 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552) Year of fee payment: 8 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 12 |